Cryptosystem

ABSTRACT

A cryptosystem for the RSA cryptography which calculates C≡M e  mod n and, for this calculation, performs an operation C=M 1  ×M 2  mod n. An operation ##EQU1## is performed in the order j=l, l-1, . . . 1 to obtain last R 1  as the result of the calculation M 1  ×M 2  mod n. The calculation ##EQU2## is performed in a quotient calculating unit, and the calculation M 1  ×M 2 ,j &#39;+2.sup.λ R j+1  -Q j  ·n is performed in a main adding unit. Where, variable R j  may be divided into two parts R j ,0 and R j ,1. In this way, the multiplication and the division are simultaneously conducted, thereby to raise the calculation speed.

BACKGROUND OF THE INVENTION

The present invention relates to a cryptosystem for enciphering message or information used in ordinary communications and in electronic computers and deciphering the cryptogram and, more particularly, to a cryptosystem for encryption and/or decryption in a public-key cryptosystem in which an encryption key may be publicly revealed.

In the public-key cryptosystem, different keys are employed for encryption and decryption and anyone can encipher a message using a publicly revealed encryption key but only the receiver can decipher an enciphered message using a privately held decryption key, whereby to ensure privacy communications. Known as such a public-key cryptosystem is the RAS cryptosystem proposed in R. L. Rivest et al. "A Method for obtaining Digital Signatures and Public-Key Cryptosystems", Communications of the ACM, February 1978, Vol. 21, No. 2, pp 120-126.

An encryption and a decryption procedures are represented by the following congruence expressions:

    Encryption: C≡M.sup.e mod n                          (1)

    Decryption: M≡C.sup.d mod n                          (2)

where C, M, e, d and n are all integers, C a representation of a cryptogram as an integer, M a representation of a plain text as an integer, e and n an encryption key, d and n a decryption key and e≠d. In the present invention all the variables except control signals are integers and are represented by 2's complement. The values of n, e and d are chosen, for enhancement of security protection capabilities, as follows: n=10¹⁰⁰ to 10²⁰⁰, e=10⁵⁰ to 10¹⁰⁰ and d=10⁵⁰ to 10¹⁰⁰. The encryption procedure, i.e. a calculation of the remainder C when M^(e) is divided by n, is carried out in the manner described below. Here, M₁, M₂, R and C are variables. Preparation: Let e be represented by ##EQU3## where e_(i) =0 or 1. Step 1: Set the variable C to 1.

Step 2: Execute steps 2a and 2b for i=k, k-1, . . . , 1, 0.

Step 2a:

M₁ =C, M₂ =C

R≡M₁ ×M₂ mod n

C=R

Step 2b:

When e_(i) =1

M₁ =C, M₂ =M

R≡M₁ ×M₂ mod n

C=R

Step 3: Halt.

In the above steps the equation symbol "=" means to set the value of the right side to the variable of the left side.

Thus the encryption procedure of the RAS cipher, that is, computation of C≡M^(e) mod n, is completed. This calculating procedure will hereinafter be called an "exponentiation procedure".

As will be seen from comparison of Eqs. (1) and (2), the decryption procedure is similarly performed using d instead of e. In the case where the RAS cryptosystem which performs such encryption and decryption as described above should be implemented through utilization of the LSI technology as of CMOS, nMOS and so forth, the circuit scale of the cryptosystem would be on the order of 100 to 200 K gates. Since the integration density of prior art LSIs is in the range of 10 to 30 K gates per chip, implementation of such cryptosystem is difficult.

To avoid such difficulty, a crypto-LSI of a microprogram control system, having a circuit scale of about 20K gates, has been proposed in R. L. Rivest "A Description of a Single-Chip Implementation of the RSA Public-Key Cryptosystem", National Telecommunication Conference, 1980, Conference Record Vol. 3 of 4, pp 49.2.1-49.2.4. This crypto-LSI is impractical since its computing speed for cryptography is as low as 1.2K bits/s. Furthermore, since the encryption key of the RSA cryptosystem has a fixed length of 512 bits in this crypto-LSI, no procedure for cryptography can be carried out in the case where the length of the encryption key is, for example, 256- or 1024-bit.

As described above, in this cryptosystem, the calculation of R≡M₁ ×M₂ mod n is conducted a number of times. In the past, this calculation has been performed in the same manner as ordinary multiplication and division; namely, M₁ ×M₂ is obtained by sequential multiplications in an ascending order starting with a least significant digit at first and then the multiplication result is divided by n sequentially in a descending order starting with a most significant digit. Therefore, this cryptosystem has the defect that the computing time is markedly long due to such sequential multiplication and division.

SUMMARY OF THE INVENTION

It is therefore an object of the present invention to provide a cryptosystem which can easily be fabricated as an LSI.

Another object of the present invention is to provide a cryptosystem which permits high-speed encryption and decryption.

Yet another object of the present invention is to provide a cryptosystem at low cost in which the length of an encryption and/or decryption key can be selected over a wide range, such as l bits (l being a constant), 2·l bits and a·l bits (a being an integer).

Since the encryption and the decryption are identical in procedure with each other as described previously, the following description will be given of the encryption procedure alone.

According to the present invention, the calculation in the aforementioned step

    R≡M.sub.1 ×M.sub.2 mod n                       (3)

is performed in the manner described below. The variables e, n, M, C, M₁ and M₂ are non-negative integers, and, in the following description, these characters are also used to represent signals respectively corresponding to the variables. For instance, the variable M₂ is a signal M₂, too, and a variable δ₄(j-1)+i (i=0, 1, 2, 3) is a signal δ₄(j-1)+i (i=0, 1, 2, 3), too. The variable M₂ is divided into l groups by steps of λ bits as follows: ##EQU4## where j, R_(j) and Q_(j) are variables.

Step ○1 R_(l+1) =0

Step ○2 Set j=l, l-1, . . . 1 and perform the following operations:

    Q.sub.j =[(2.sup.λ ·R.sub.j+1 +M.sub.1 ·M.sub.2,j)÷n]                               (5)

    R.sub.j =(2.sup.λ ·R.sub.j+1 +M.sub.1 ·M.sub.2,j)-Q.sub.j ·n                  (6)

Step ○3 Halt. (R₁ ≡M₁ ×M₂ mod n)

Here, [x] represents the largest possible integer equal to or smaller than x. For instance, [1.0]=1, [1.5]=1, [-1.5]=-2 and so forth. By multiplying the both sides of Eq. (6) by 2.sup.(j-1)λ and obtaining, for each side, the sum of the results of the multiplications for all j=1 to j=l as shown by the following equation, it is proved that this calculation method is correct. ##EQU5##

The addition and the subtraction in Eq. (6) can be performed at high speed using a carry save adder (CSA). Since the variables R_(j+1), M₁ and n are extremely large, however, the calculation of Eq. (5) is liable to take too much time; therefore, it is preferred that the calculation of these equations be performed by using various approximations described hereinafter. Here, since the carry save adder has two outputs, R_(j) is divided into two as follows: ##EQU6## For high-speed calculation of Q_(j), a constant of m bits is omitted from the low-order sides of all the variables in Eq. (5), and all the variables have been represented by a 2's complement as mentioned before. Q_(j) is approximated to Q_(j) ' by the omission. ##EQU7## Here, the constant S is introduced for suppressing any error resulting from the approximation.

Eq. (8) is a division, which takes much time. For speeding up the computation, a variable v for a reciprocal of the divisor [n·2^(-m) ] and a constant u are introduced, thereby to change Eq. (8) into a form of multiplication. By this procedure, Q_(j) ' is approximated to Q_(j) ". ##EQU8## An error resulting from this close approximation cannot be made zero but can be reduced. By optimal selections of the constants m, S and u, errors γ_(1j) and γ_(2j) can be reduced as follows: The reason will be described later. ##EQU9##

A concrete description will be given of the case of performing the operation R≡M₁ ×M₂ mod n by the abovesaid close approximation. Since M and n are, for example, about 10²⁰⁰ which is roughly equal to 2⁵⁰⁰ as referred to previously, each variable is represented by a binary number of 512-bit length.

The following conditions are set, by way of example: ##EQU10##

(i) n is inputted and v is obtained from Eq. (11).

    v←[2.sup.13 ÷[n·2.sup.-504 ]]            (15)

where 2⁵ <v<2⁶.

(ii)

    M.sub.1 and M.sub.2 are inputted.                          (16)

Repeated Calculation.

The calculation method will be shown below in the form of a program flowchart.

Step 0:

    j←128, R.sub.129,1 ←0, R.sub.129,0 ←0       (17)

Step 1: From Eq. (11) ##EQU11## where -2¹³ <X_(j) "<2¹³

Step 2: ##EQU12##

When Q_(j) "=32, set Q_(j) "=31 and when Q_(j) "=-32, set Q_(j) "=-31.

Step 3: From Eq. (6) ##EQU13##

Step 4: ##EQU14##

Step 5: The repeated calculation ends.

CALCULATION FOR COMPENSATION ##EQU15## In the case where the variable e is represented by 512 bits, 0 goes in succession on its high-order bit side. This arises from the aforesaid conditions n=10¹⁰⁰ to 10²⁰⁰, e=10⁵⁰ to 10¹⁰⁰. Since j=128 to 1, it is seen that the repeated calculation is conducted 128 times. The range of Q_(j) " obtained from the equation (19) is given by -31≦Q_(j) "≦31. The calculation method mentioned above will be proved to be appropriate, later.

In the compensating calculation, the number of executions of Step 7 may be zero, one or two. The reason for this will be described later. At the time when Step 6 is executed for the first time, the following condition holds: ##EQU16## So, a register of 514-bit length, including sign bit, is employed for storing R₁,i. Accordingly, an adder of a 514 bit width is used for performing the operation of Eq. (20). In the operation of Eq. (18), 500 bits are discarded for R_(j+1),i and 504 bits, 503 bits, 502 bits and 501 bits are discarded for M_(i) in accordance with the values i=0,1,2,3, respectively. An adder for obtaining X_(j) " may be an adder of 14-bit width, including sign bit, because of the condition 2⁻¹³ <X_(j) "<2¹³.

As described previously, the operation C≡M₁ ×M₂ mod n necessary for the calculation for cryptography can be performed by eight steps ○1 to ○8 . Embodiments of the present invention, described later, execute such a computation. That is, a quotient calculating unit, a main adding unit and a controller are provided. To the quotient calculating unit are applied M₁, M₂,j, n and R_(j+1) to perform an operation Q_(j) =[(M₁ ×M₂,j +2.sup.λ ·R_(j+1))÷n]. To the main adding unit are provided M₁, M₂,j, Q_(j), R_(j+1) and n to conduct an operation M₁ ×M₂,j +2.sup.λ R_(j+1) -Q_(j) ·n. The controller controls the quotient calculating unit and the main adding unit so that these operations are performed in the order j=l, l-1, . . . 1. That is, as indicated by the order j=l, l-1, . . . 1, the operation M₁ ×M₂ mod n is performed by simultaneously carrying out multiplication and division in a descending order, so that the calculation is conducted at high speed. Furthermore, the calculation in the quotient calculating unit can be further speeded up by discarding and multiplication based on Eq. (10). By using the carry save adder, the addition and subtraction in the main adding unit can be speeded up by the time necessary for carry propagation. This is very significant because the numbers of digits of M and n are very large and because the number of calculations is large.

In the present invention, the main adding unit is divided into a plurality of slice sections of the same function. To the slice sections are sequentially applied M₁ and n while being divided for each constant width of their binary integers, and M₂,j and Q_(j) are provided to the slice sections in common to them. For each set of M₁, n, Q_(j), M₂,j and R_(j+1), an operation R_(j) =M₁ ×M₂,j +2.sup.λ ·R_(j+1) -Q_(j) ·n is performed. The slice sections are connected in cascade via signal lines so that a part of each calculation result may be provided to a higher order slice section. In each slice section, one or more registers for storing divided portions of M, n, e, R_(j) and C are provided as required. By such division of the main adding unit into slice sections, each slice section can easily be fabricated as an LSI even by the present LSI technology, so that the cryptosystem can be produced at low cost. Moreover, by increasing or decreasing the number of slice sections, the lengths of the encryption and decryption keys e and d can be varied with ease.

By applying such division of the main adding unit into slice sections to the case where M₁ ·M₂ mod n is calculated by performing the multiplication M₁ ·M₂ prior to the division by n, the cryptosystem can be fabricated at low cost.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing the principle of a conventional technology for the RSA cryptosystem;

FIG. 2 is a block diagram showing the principle of the cryptosystem of the present invention;

FIG. 3 is a block diagram showing the principle of dividing a main adding unit;

FIGS. 4A to 4Z and 5A to 5Q illustrate symbols of various functions used in the drawings;

FIG. 6 is a block diagram illustrating the whole arrangement of an embodiment of the present invention;

FIG. 7 is a block diagram showing an example of a quotient calculating pre-processing section 60 used in FIG. 6;

FIG. 8 is a block diagram showing an example of a quotient calculating post-processing section 61 used in FIG. 6;

FIG. 9 is a diagram illustrating a specific example of an AND element group 70 used in FIG. 8;

FIG. 10 is a diagram illustrating a specific example of a constant generator 71 utilized in FIG. 8;

FIG. 11 is a diagram illustrating a specific example of an adder 72 employed in FIG. 8;

FIG. 12 is a diagram showing a specific example of a carry save adder CSAUQ1 used in FIG. 8;

FIG. 13 is a diagram showing an example of an adder 73₂ used in FIG. 8;

FIG. 14 is a diagram showing an example of an adder 74₁, used in FIG. 8;

FIG. 15 is a block diagram illustrating a specific example of a slice section employed in FIG. 6;

FIG. 16 is a diagram illustrating an example of an M register 101 utilized in FIG. 15;

FIG. 17 is a diagram showing an example of an n register 103 employed in FIG. 15;

FIG. 18 is a diagram illustrating an example of a C register 104 used in FIG. 15;

FIG. 19 is a diagram showing an example of an M₂ register 105 employed in FIG. 15;

FIG. 20 is a diagram illustrating an example of an e register 102 used in FIG. 15;

FIG. 21 is a diagram illustrating an example of a selector 106 utilized in FIG. 15;

FIG. 22 is a diagram showing an example of a main adding unit 110 employed in FIG. 15;

FIG. 23 is a diagram showing a specific example of an M₁ ·M₂,j calculating section 140 used in FIG. 22;

FIG. 24 is a diagram showing a specific example of a -Q_(j) ·n calculating section 150 used in FIG. 22;

FIG. 25 is a diagram illustrating a specific example of an adding section 160 used in FIG. 22;

FIG. 26 is a diagram illustrating a specific example of a carry save adder 161 used in FIG. 25;

FIG. 27 is a diagram illustrating an example of a register section 170_(L) utilized in FIG. 22;

FIG. 28 is a diagram showing an example of an adder 180 employed in FIG. 22;

FIG. 29 is a diagram showing an example of a carry detector 190 used in FIG. 22;

FIG. 30 is a diagram showing the coupling state of the M register 101;

FIG. 31 is a diagram showing the coupling state of the e register 102;

FIG. 32 is a diagram showing the coupling state of the n register 103;

FIG. 33 is a diagram showing the coupling state of the C register 104;

FIG. 34 is a diagram showing the coupling state of the M₂ register;

FIG. 35 is a diagram showing the coupling state of the selector 106;

FIG. 36 is a diagram showing the coupling state of the main adding unit 110;

FIG. 37 is a diagram showing the coupling state of the M₁ ·M₂ calculating section 140;

FIG. 38 is a diagram showing the coupling state of the -Q_(j) ·n calculating section;

FIG. 39 is a diagram showing the coupling state of the adding section 160;

FIG. 40 is a diagram showing the coupling section of the register section 170_(L) ;

FIG. 41 is a diagram showing the coupling state of the adder 180;

FIG. 42 is a diagram showing the coupling state of the carry detector 190;

FIG. 43 is explanatory of an operation in the coupling states depicted in FIGS. 39 to 41;

FIG. 44 is a diagram showing an arrangement of bits in the coupling state depicted in FIG. 37;

FIG. 45 is explanatory of the operation in the coupling state depicted in FIG. 37;

FIG. 46 is explanatory of an operation in the coupling state depicted in FIG. 38;

FIG. 47 is explanatory of an operation in the coupling state depicted in FIG. 40;

FIG. 48 is explanatory of an operation in the coupling state depicted in FIG. 42;

FIG. 49 is a block diagram showing the outline of a controller 8;

FIGS. 50A₁ to 50U₁ and FIGS. 50A₂ to 50U₂ are, as a whole, a timing chart illustrating the outline of the operation of the controller 8 used in FIG. 6;

FIG. 51 is a diagram illustrating a specific example of a first control section 230 in the controller 8;

FIGS. 52A to 52J are, as a whole, a timing chart showing the operation of the first control section 230;

FIG. 53 is a diagram illustrating a specific example of a second control section 250 in the controller 8;

FIGS. 54A to 54G are, as a whole, a timing chart showing the operation of the second control section 250;

FIG. 55 is a diagram illustrating a specific example of a third control section 260 in the controller 8;

FIGS. 56A to 56H are, as a whole, a timing chart showing the operation of the third control section 260;

FIG. 57 is a diagram illustrating a specific example of a fourth control section 270 in the controller 8;

FIGS. 58A to 58H are, as a whole, a timing chart showing the operation of the fourth control section 270;

FIG. 59 is a diagram illustrating a specific example of a fifth control section 280 in the controller 8;

FIGS. 60A to 60D are, as a whole, a timing chart showing the operation of the fifth control section 280;

FIG. 61 is a diagram illustrating a modified form of the embodiment of FIG. 6 in which the main adding unit 110 is coupled and used as another means for compensating calculation;

FIG. 62 is a diagram illustrating another example of the -Q_(j) ·n calculating section in FIG. 22;

FIGS. 63 to 65 are diagrams respectively showing the logic of circuits 502 to 504 in FIG. 62;

FIG. 66 is a diagram illustrating another example of a quotient calculating unit 9;

FIG. 67 is a diagram showing the logic of a circuit 629 in FIG. 66;

FIG. 68 is a block diagram illustrating the main adding unit in the cryptosystem in the case where the multiplication and division are performed at the same time;

FIG. 69 is a block diagram illustrating the main adding unit in the cryptosystem in the case where the multiplication and division are performed one after the other;

FIG. 70 is a diagram illustrating a specific example of a register section 170_(Y) in FIG. 69;

FIG. 71 is a diagram illustrating an example of the main adding unit shown in FIG. 68 being divided;

FIG. 72 is a diagram illustrating an example of the main adding unit shown in FIG. 69 being divided; and

FIG. 73 is a diagram illustrating another embodiment of the present invention where the quotient calculator 9 is provided in each of the slice sections.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

To facilitate a better understanding of the present invention, a description will be given first of a conventional technology for the RSA cryptography. FIG. 1 shows the principle of a conventional technology which performs calculations for the RSA cryptography. An M-register 1, an e-register 2, an n-register 3 and a C-register 4 are provided for storing variables M, e, n and C, respectively. The contents of the M-register 1 and the C-register 4 are supplied to a selector 6 via signal lines 12 and 11, respectively. The selector 6 selects one of the signals from the signal lines 11 and 12 in accordance with a switching signal from a switching signal line 13 and provides the selected signal to an M₂ -register 5. A multiplier-divider 7 is supplied with a signal M₁ on a signal line 14, a signal M₂ on a signal line 15 from the M₂ -register 5 and a signal n on a signal line 17 from the n-register 3. The most significant bit (MSB) of the e-register 2 is provided via a signal line 18 to a controller 8, which, in turn, controls the selector 6 in accordance with the content of the signal e applied. The signal lines are each composed of a plurality of signal conductor lines.

At first, the variables M, e and n are stored in the registers 1, 2 and 3, respectively. The e-register 2 is such one that has a left circular shift function. Prior to the exponentiation procedure, the content of the e-register 2 is shifted to left until the left-most bit of the e-register becomes "1". The reason is that the number of calculations in steps 2a and 2b of the exponentiation procedure can be reduced by starting the calculation with a condition e_(i) =1.

Then the controller 8 stores +1 into the C-register 4. Represented by C, the content of the C-register 4 is C=1. The above is the operation of step 1 of the exponentiation procedure.

Next, the controller 8 executes steps 2a and 2b of the exponentiation procedure in the following manner:

On the input signal line 17 of the multiplier-divider is always provided the variable n. Let the signals on the input signal lines 14 and 15 of the multiplier-divider 7 be represented by M₁ and M₂, respectively, and a signal on an output signal line 16 of the multiplier-divider 7 be represented by R. Since the C-register 4 is connected to the signal line 14, M₁ ←C is executed. The selector 6 selects the input signal line 11 in accordance with the signal on the signal line 13 from the control unit 8, and the content C of the C-register 4 is latched in the M₂ -register 5. Accordingly, the signal M₂ on the signal line 15 becomes M₂ ←C. Then, the multiplier-divider 7 performs the operation R≡M₁ ×M₂ mod n and provides the signal R on the output signal line 16, so that the content of the C-register 4 becomes R, thus executing C←R. The above is the operation of step 2a of the exponentiation procedure.

The operation of step 2b of the exponentiation procedure differs from the operation of step 2a only in the operation of the selector 6. That is, the input signal line 12 of the selector 6 is selected and the content of the M register 1 is latched in the M₂ -register 5, resulting in M₂ ←M.

The controller 8 executes the operations of steps 2a and 2b while shifting the content of the register 2 to left bit by bit for each e_(i) of the variable ##EQU17## By such operation, the content C of the C-register 4 finally becomes C≡M^(e) mod n based on the exponentiation procedure. By the way, the principle of the calculation order of the RSA cryptosystem shown in FIG. 1 is known, but the construction of the multiplier-divider used therein has not been disclosed and the cryptosystem has not been put to practical products.

FIG. 2 is explanatory of the principle of the cryptosystem of the present invention, the parts corresponding to those in FIG. 1 being identified by the same reference numerals. In FIG. 2, the multiplier-divider used in FIG. 1 is divided into a quotient calculator 9 and a main adder 10. The quotient calculator 9 performs the operation of Eq. (5), i.e. the division for obtaining the quotient, using Eqs. (18) and (19). The main adder 10 is formed of the remaining portion of the multiplier-divider 7 from which is separated the quotient calculator 9, and it mainly performs the additions in Eqs. (20) and (23). That is, in the main adder 10, for example, as shown in Eq. (20), the multiplication and division are simultaneously performed in a descending order starting with the most significant digit, permitting high-speed computation. In the present invention, the quotient calculator 9 is separated from the multiplier-divider 7; this is one of features of the present invention which distinguishes it over the prior art. Since the quotient calculator 9 is separated, signal lines 19 to 24 for connecting the quotient calculator 9 to other parts are added. The part except for the quotient calculator 9 in FIG. 2, that is, the part identified by 25' will hereinafter be called a "sliceable section". It will be evident that, with such an arrangement as shown in FIG. 2, the calculation for cryptography can be conducted by the exponentiation procedure as is the case with the prior art example of FIG. 1. In this case, since Eqs. (5) and (6) are used, the signal M₂ becomes a signal M₂,j.

FIG. 3 shows the principle of divisional arrangement of the cryptosystem of the present invention. In the sliceable section 25' in FIG. 2, the parts except for the controller 8 are each divided into, for example, eight and the eight groups are each provided with one controller 8 to constitute eight sliced sections 25₁ to 25₈. Here, the division into eight is to divide, for example, the M-register 1 of 512-bit length by 64 bits to form eight 64-bit registers 1₁ to 1₈, by which 512-bit information is represented. The registers 2, 3, 4 and 5 are respectively divided into registers 2₁ to 2₈, 3₁ to 3₈, 4₁ to 4₈ and 5₁ to 5₈. The selector 6 is similarly divided into eight. Also the main adder 10 in FIG. 2 is divided into eight and each processes 64-bit information divided from 512-bit information. Signal lines 26 and 27 are necessitated as a result of the division of the sliceable section 25'. Signal lines 28₁, 28₂ and 28₃ are input signal lines for the variables e, n and M, and a signal line 29 is an output signal line for the variable C. In this way, the sliceable section can easily be divided because the quotient calculator 9 is not included therein. The cryptosystem of an embodiment of the present invention based on the principle shown in FIG. 3, comprises a plurality of sliced sections obtained by equally dividing the sliceable section 25' of the cryptosystem of FIG. 2 and combining each sliced section with the controller 8, and one quotient calculator. This arrangement has the following features.

The sliceable section 25' in FIG. 2 is difficult to fabricate as one chip through using the present LSI technology because it requires 100 to 200K gates when materialized as a hardware. According to this embodiment, however, the sliced sections 25₁ to 25₈ are each on the order of 15 to 30K gates, and hence can be implemented by the existing LSI technology. At the same time, since these sliced sections may be formed by the same type of chips, the number of processes involved in the design of the cryptosystem is small, reducing the manufacturing costs.

Furthermore, by increasing or decreasing the number of sliced sections, it is possible to implement cryptosystems at low cost which have various lengths of the encryption and/or decryption keys n and e. A description will be given later in this connection.

In the foregoing, the sliced sections 25₁ to 25₈ are each described as to handle 64-bit information but, strictly speaking, the main adder handles 66 bits and 64 bits of them are used for the purpose described previously. This will be described later. The quotient calculator 9 can be divided into a quotient pre-processing section and a quotient post-processing section in accordance with the nature of its processing. The signal lines 26, 21 and 22 will hereinafter be referred to as the exponentiation control signal line, the multiplication control signal line and the division control signal line, respectively.

SYMBOLIZATION CONVENTIONS

Prior to a detailed description of the invention, a description will be given of symbols used for showing various functions in the drawings.

FIG. 4A shows that a terminal 30 of a signal line is not connected to any parts, that is, an open terminal. Incidentally, the signal line is usually composed of more than one signal lines and, in this case, the open terminal represents plural open terminals. FIG. 4B shows that a+b signal lines (a=1, 2, . . . and b=1, 2, . . . ) are branched into a and b signal lines. In this case, the left-hand a signal lines transmit an a-digit signal from the most significant digit side of the a+b signal lines, represented as a binary number, whereas the right-hand b signal lines similarly transmit a b-digit signal from the least significant side. The arrows of the signal lines indicate the direction of signal transmission. This is common to all the accompanying drawings. When the branching is indicated by lateral lines as seen in FIG. 4C, the upper side indicates the higher-order digit. That is, in the case of a signal represented as a binary number, the signal line on the right-hand side in the direction of the signal transmission indicates the most significant digit and the signal line on the left side the least significant digit. FIG. 4D shows that b groups of signal lines, each including a lines, are described en bloc.

FIG. 4E shows an AND logic of two inputs. This also applies to an AND logic of three or more inputs.

FIG. 4F shows a NAND logic of two inputs. This also applies to a NAND logic of three or more inputs. FIG. 4H shows an exclusive OR and FIG. 4I NOT of the exclusive OR. FIG. 4J shows NOT logic. FIG. 4K shows that a signal value "0" is provided. FIG. 4L shows that a signal value "1" is provided. FIG. 4M shows a one-bit full adder. Letting signals on signal lines 31₁, 31₂ and 31₃ be represented by A, B and C (A=0,1, B=0,1, C=0,1), respectively, data on the signal lines 32₁ is indicated by A⊕B⊕C (where ⊕ is exclusive OR) and data on the signal line 32₂ is A·B+B·C+C·A (where · is AND and + is OR).

FIG. 4N shows a two-input selector. Two input signal lines 34₀ and 34₁ and an output signal line 35 are all composed of a (a=1, 2, . . . ) signal lines. When a selector input switching signal on a selector input signal switching signal line 33 is 1, the signal 34₁ is selected and when the signal on the signal line 33 is 0, the signal line 34₀ is selected. FIG. 4P shows a master-slave D flip-flop, which has at least an input signal line 36 connected to its data terminal D, an input signal line 37 connected to its clock terminal and an output signal line 38 connected to its Q terminal. In some cases, the flip-flop is further provided with an output signal line 39 connected to its Q terminal, a clear signal line 40 and a preset signal line 41. Upon application of a signal "1" from the clear signal line 40, an output signal on the output signal line 38 becomes "0", and when a signal "1" is applied from the preset signal line 41, the output signal on the output signal line 38 becomes "1". This flip-flop reads therein data on the line 36 upon rising of a clock signal on the line 37. FIG. 4Q shows a trigger flip-flop, which has a trigger input signal line 42, a clear signal input signal line 40 and an output signal line 38 connected to its Q terminal, and the sign of the output Q is inverted upon rising of the trigger input to the flip-flop. FIG. 4R shows another symbol of the master-slave D flip-flop of FIG. 4P. This is used when the flip-flop is employed as a one-clock delay circuit. FIG. 4S shows a counter, which has a clear signal line 43, an input signal line 44 for pulses to be counted and an output signal line 45 on which a signal "1" is retained after counting a 513th input pulse. The numeral "512" of CNT512 means that this counter counts pulses 512 times and the 513th pulse causes to output "1". FIG. 4T is explanatory of the operation of the counter shown in FIG. 4S. After supplied with a clear signal at a moment 46, the counter CNT512 counts pulses 512 times and, upon detection of the 513th pulse, its output signal becomes "1" at that moment 47. As the counter, there are those which count pulses 128 times, six times and twice, respectively. These counters are indicated by CNT128, CNT6 and CNT2 in the same manner as in the case of FIG. 4S.

FIG. 4U shows en bloc a (a=1, 2, . . . ) ANDs as illustrated in FIG. 4V. FIG. 4W shows en bloc a (a=1, 2, . . . ) ORs as depicted in FIG. 4X. FIG. 4Y shows en bloc a (a=1, 2, . . . ) NOTs as depicted in FIG. 4Z. FIG. 5A is identical with FIG. 5B, in which input and output lines are directly connected. FIG. 5L shows that a b-bit input is shifted up by a bits (where b>a) as shown in FIG. 5D. FIG. 5E shows that a b-bit input is shifted down by a bits and outputted as (b-a) bits (where b>a) as depicted in FIG. 5F. FIG. 5G shows that an a-bit input is outputted with a zero added to its high-order side as depicted in FIG. 5H. FIG. 5I shows that high-order 10 bits of a 38-bit input are outputted as they are, and that the low-order 28 bits are divided into two by steps of 14 bits and four bits between high-order two bits and low-order eight bits of each group are outputted together with the abovesaid high-order 10 bits, as illustrated in FIG. 5J. FIG. 5K shows that high-order four-bits of a 64-bit input are removed therefrom and four bits are added to the low-order side thereof to obtain a 64-bit output as illustrated in FIG. 5L.

FIG. 5M shows that the name of a signal on a signal line 55 is D-SIG. FIG. 5N shows that 12 kinds of control signals are present on the signal line 55, and their names are CT1 to CT12. FIG. 5P shows that five signals are provided on the signal line 55, and that their names are CLOCK, e-in, n-in, START and C-out, respectively. FIG. 5Q shows that the number of signals on a signal line 56 is 12, that they are named CT1 to CT12, respectively, and that they are branched into two signals CT2 and CT1 on a signal line 57, . . . three signals CT5, CT11 and CT12 on a signal line 58, and so forth.

The signal value on the signal line is indicated by binary logic "0" or "1", or a binary integer represented as a 2's complement.

GENERAL ARRANGEMENT OF EMBODIMENT

FIG. 6 illustrates the general arrangement of an embodiment of the present invention, in which the parts corresponding to those in FIG. 3 are identified by the same reference numerals and characters. The quotient calculating unit 9 is divided into a quotient calculating pre-processing section 60 and a quotient calculating post-processing section 61, and these processing sections 60 and 61 are interconnected via a signal line 62. The sliced sections 25₁ to 25₈ are provided with input signal lines 63₁ to 63₈, 65₁ to 65₈ and 67₁ to 67₈ and output signal lines 64₁ to 64₈, respectively. The input signal lines 67₁ to 67₇ are grounded and input a signal value "0", and the input signal line 67₈ inputs a signal value "1". The signal value "1" on the signal line 67₈ means that the sliced section 25₈ is the remotest from the quotient calculating unit 9 and on the side of the least significant digit among the sliced sections. Supplied with the signal value "1", one part of the sliced section 25₈ performs a special operation different from operations of the sliced sections 25₁ to 25₇. This will be described later. Reference numerals 8₁ to 8₈ designate controllers 8 in the individual sliced sections 25₁ to 25₈.

Following the principle of the present invention, the cryptosystem of FIG. 6 is supplied with the variables e, n and M from the input signal lines 28₁, 28₂ and 28₃ and performs the operation C≡M^(e) mod n to provide the variable C on the output signal line 29. Similarly the variables d, n and C are applied from the input signal lines 28₁, 28₂ and 28₃ to the cryptosystem when implementing the operation m≡C^(d) mod n, providing the variable M on the output signal line 29.

The cryptosystem receives an operation control signal from the input signal line 63₁ and the controller 8₁ generates a control signal for the entire cryptosystem. The controllers 8₂ to 8₈ do not operate. In other words, the sliced sections 25₁ to 25₈ are made identical in construction and one of the controllers is used. Therefore, instead of providing a controller in each sliced section, a single controller may be separately provided from the sliced sections as is the case of the quotient calculating unit 9.

The operative state of the cryptosystem is reported to the outside via the output signal line 64₁. Various control signals necessary for calculations for cryptography are produced not only by the controller 8₁ but also by the quotient calculation post-processing section 61 and other parts in the sliced section 25₁ than the controller 8₁. The names of signals on the exponentiation control signal line 26, the multiplication control signal line 21 and the division control signal line 22 are EXP-SEL, M-SIG and D-SIG, respectively. The signal line 27 includes 12 lines and their names are CT1 to CT12, respectively.

QUOTIENT CALCULATION PRE-PROCESSING SECTION

FIG. 7 illustrates the quotient calculation pre-processing section, which is formed by a read only memory (ROM) 68. ROM 68 is used instead of the operation of Eq. (15). When a value [n·2⁻⁵⁰⁴ ] is provided as an address on the signal line 19, ROM 68 provides on the signal line 62 a value [2¹³ ÷[n·2⁻⁵⁰⁴ ]] precalculated and stored therein. With such an arrangement, the value of v calculated by Eq. (15) can be obtained on the signal line 62 by applying high-order bits of the variable n.

QUOTIENT CALCULATION POST-PROCESSING SECTION

FIG. 8 illustrates the general arrangement of the quotient calculation post-processing section 61, which performs the operations of Eqs. (18) and (19). The signal M-SIG on the multiplication control signal line 21 is composed of four signals, each having a signal value δ₄(j-1)+i ·2^(i) (i=0,1,2,3). Incidentally, ##EQU18## is apparent from Eq. (14). From the input signal line 24 is applied a value of high-order 11 bits of M₁, obtained by discarding low-order 501 bits of M₁ represented by 512 bits in Eq. (18); from the input signal line 23 is applied a binary signal value of 14 bits obtained by discarding low-order 500 bits of R_(j+1),i (i=0,1) represented by 514 bits in Eq. (18). An AND element group 70 performs ANDing of M₁ and δ₄(j-1)+i ·2^(i) ·2⁻⁵⁰⁴ (i=0,1,2,3,4) in Eq. (18); a logic circuit 71 produces the constant 38 in Eq. (18); and a carry save adder (CSA-Q1) performs the addition in Eq. (18) to calculate the value of X_(j) ". A carry save adder (CSA-Q2) 72 has seven inputs and two outputs, all of which are binary integers of 14-bit width. An AND element group 73, performs the AND-operation necessary for the calculation of X_(j) "×v in Eq. (19). That is, the AND element group 73₁ is supplied with the value v of six-bit width from the signal line 62 and the value X_(j) " from an adder 72 and performs ANDing of each digit of v represented as a binary number and each digit of X_(j) " represented as a binary number.

The results of the ANDing are added by a 12-input, 2-output carry save adder (CSA-Q2) 73₂ to obtain the value X_(j) "×v. Each output from the adder 73₂ is applied to a circuit 73₃ in which 13 bits are discarded from it, and a value [X_(j) "×v×2¹³ ] is obtained as the sum of signals which are provided on signal lines 73₄ and 73₅. The signals on the signal lines 73₄ and 73₅ are respectively added in one-output carry propagation adders 74₁ and 74₃, and the signals on the signal lines 73₄ and 73₅ and -1 are added together in three-input, two-output carry save adder (CSA-Q3) 76. The addition results are added in the carry propagation adder 74₂.

On an output signal line 78₁ of the adder 74₁ is provided a value [X_(j) "×v×2⁻¹³ ]+1. While on an output signal line 78₂ of the adder 74₂ is provided a value [X_(j) "×v×2⁻¹³ ]-1. The signal on the signal line 78₂ is inverted, providing on a signal line 78₃ the binary value [X_(j) "×v×2⁻¹³ ]-1 with its respective bits inverted, that is, the absolute value of [X_(j) "×v×2⁻¹³ ], i.e. |[X_(j) "×v×2⁻¹³ ]|. On a most significant bit output signal line 78₄ of the adder 74₃ is obtained a value "0" or "1" depending on whether the sign of [X_(j) "×v×2⁻¹³ ], i.e., the sign of X_(j) " is X_(j) "≧0 or X_(j) "<0. The AND of the inverted signal of the signal on the signal line 78₄ and the signal on the signal line 78₁ is obtained in the form of [X_(j) "×v×2⁻¹³ ] on a signal line 79₁ when X_(j) "≧0. The AND of the signals on the signal lines 78₄ and 78₃ is provided as |[X_(j) "×v×2⁻¹³ ]| on a signal line 79₂ when X_(j) "<0. The signal on the signal line 78₁ is applied to a 32-detector 75₁, which provides a value +31 on a signal line 79₃ when X_(j) "≧0 and [X_(j) "×v×2⁻¹³ ]+1=32. The inverted signal on the signal line 78₂ is supplied to a 32 detector 75₂ to provide a value |-31| on a signal line 79₄ when X_(j) "<0 and |[X_(j) "×v×2⁻¹³ ]|=32. Since the range of Q_(j) " is -31≦Q_(j) "≦31, |Q_(j) "| can be represented by five bits. The OR of the corresponding bits of the 5-bit signals on the signal lines 79₁ to 79₄ is provided on a signal line 80. The signal on the signal line 80 is composed of five bits of |Q_(j) "| of Q_(j) " defined in Eq. (19). On the signal line 78₄ is provided a sign q_(s) of Q_(j) " which is "0" or "1" depending on whether X_(i) "≧0, i.e. Q_(j) "≧0, or X_(i) "<0, i.e. Q_(j) "<0. On a signal line 82 which is a combination of the signal lines 80 and 78₄ there are provided the most significant bit in the form of q_(s) and the other five bits in the form of |Q_(j) "|.

On the division control signal line 22 there are provided by the operation of as selector 83 the content of the signal line 82 when CT10=0 and "100001", i.e. -1, from a circuit 75₃ when CT10=1.

For performing the operations of Eqs. (18) and (19), the quotient calculation post-processing section 61 is supplied with high-order 14×2 bits of R_(j+1),i (i=0,1) from the signal line 23, high-order 11 bits of M₁ from the signal line 24 and four bits of δ₄(j+1)+i ·2^(i) (i=0,1,2,3) from the signal line 21. The quotient calculation post-processing section 61 calculates X_(j) " in accordance with Eq. (18) and calculates Q_(j) " by Eq. (19) in accordance with the condition whether the next X_(j) "≧0 or X_(j) "<0. When CT10=0, the absolute value |Q_(j) "| of Q_(j) " is represented by five bits and the sign of Q_(j) " is represented by one bit; namely, a total of six bits is provided on the division control signal line 22. In this case, however, the sign q_(s) of Q_(j) " is represented by 0 or 1 depending on whether Q_(j) "≧0 or Q_(j) "<0. When CT10=1, the absolute value of Q_(j) " is 1 and the sign q_(s) of Q_(j) " is 1.

DETAILS OF QUOTIENT CALCULATION POST-PROCESSING SECTION

FIG. 9 illustrates a specific example of the AND element group 70, in which δ₄(j-1)+i ·2^(i) ·2⁻⁵⁰⁴ (i=0,1,2,3) from the signal line 21 and M₁ of eleven bits from the signal line 24 are ANDed with each other, thereby to perform the operation M₁ ·δ₄(j-1)+1 ·2^(i) ·2⁻⁵⁰⁴ in Eq. (18).

FIG. 10 illustrates a logic circuit 71 for producing the constant S=38 in Eq. (18). FIG. 11 shows a seven-input two-output carry save adder (CSA-Q1) 72, which is constituted by a combination of three-input two-output carry save adders (CSAUQ1) 90₁ to 90₅. Each of the three-input two-output carry save adders (CSAUQ1) 90₁ to 90₅ is arranged so that corresponding bits of the three inputs are respectively added by full adders of the same number as bits of each input, as shown in FIG. 12. FIG. 13 illustrates a 12-input two-output carry save adder (CSA-Q2) 73₂, which is made up of three-input two-output carry save adders (CSAUQ2) 91₁ to 91₁₀. FIG. 14 illustrates, by way of example, one of the two-input one-output carry propagation adders 74₁ to 74₃, which is arranged so that corresponding bits of the two inputs are respectively added by full adders of the same number as bits of each input, and carry of each full adder is provided in ascending order.

Sliced Sections

FIG. 15 illustrates, by way of example, the arrangement of one of the sliced sections 25₁ to 25₈ in FIG. 6 in which there are provided registers 101, 102, 103, 104 and 105, each corresponding to one of the eight parts into which the M, e, n, C and M₂ registers 1, 2, 3, 4 and 5 are each divided. To the least significant ends of the registers 101 to 105 are respectively connected input signal lines 101_(R) to 105_(R) for supplying thereto signals from a lower-order sliced section. To the most significant ends of the registers 101 to 105 are connected output signal lines 101_(L) to 105_(L) for supplying therefrom signals to a higher-order sliced section. A selector 106, one of eight parts into which the selector 6 is divided, is provided, which is controlled by a signal on an input signal line 113. A main adder 110, one of eight parts into which the main adding section 10 for mainly performing the additions in Eqs. (20) and (23) is divided, is provided. Connected to the main adder 110 are input signal lines 114 and 115 and an output signal line 116. The content of the register 103 and a signal on the input signal line 103_(R) are provided via a signal line 117 to the main adder 110. The content of the most significant bit of the register 102 is applied via the signal line 18 to the controller 8.

Signals for controlling the operation of the sliced section are provided via the five input signal lines 63, and their signal names are CLOCK, e-in, n-in, START and C-out. The operative state of the sliced section is reported to the outside thereof via the three signal lines 64, and their signal names are CT2, n-end and CRYPT-end. A signal indicating the state of carry propagation of each of the plurality of sliced sections is applied via the input signal line 65, and a signal indicating the state of carry propagation in the main adder 110 is provided via the output signal line 66 to the outside of the sliced section, this signal name being CRY-end. A signal indicating that the sliced section 25 is the remotest from the quotient calculating unit 9 like the sliced section 25₈ in FIG. 6, is provided via the signal line 67 and the name of this signal is TAIL. When the signal TAIL is "1", the sliced section 25 is the remotest from the quotient calculating unit 9. Following the exponentiation procedure the sliced section 25 executes Eqs. (16), (17) and (20) to (24) on the premise of Eq. (14). Eq. (15) is executed by the quotient calculation pre-processing section 60 and Eqs. (18) and (19) are executed by the quotient calculation post-processing section 61. In the case where the quotient calculating unit 9 and a plurality of sliced sections are connected as shown in FIG. 6, main signals of each sliced section and the calculation for cryptography bear such relationships as described below. Details of the signals will be described later.

The cryptosystem applies the variable e to the plurality of registers 102 (hereinafter referred to as the e-registers) of the plurality of sliced sections 25 upon application of the signal e-in from the control input signal line 63, applied the variable n to the plurality of registers 103 upon application of the signal n-in, and applies the variable M to the plurality of registers 101 upon application of the signal START. After application of the variable M, the e-registers 102 continue bit-by-bit circular left shifting until the most significant digit (MSD) of each e-register 102 becomes "1".

Next, upon application of the signal CT5, the cryptosystem performs the operation of Step 1 of the exponentiation procedure;

That is, the operation C←1 is executed.

Next, upon application of the signal CT6, the operation M₂ ←C in step 2a or M₂ ←M in step 2b of the exponentiation procedure is executed. (Here, M₁ ←C always holds on account of the arrangement of the cryptosystem.). Next, in the period in which the signal CT7 becomes "1", the multiplication and division R≡M₁ ×M₂ mod n in step 2a or 2b of the exponentiation procedure are executed and, upon application of a signal MDEND, the multiplication and division are finished. Then, C←R is established owing to the arrangement of the cryptosystem.

The execution of the multiplication and division R≡M₁ ×M₂ mod n based on the exponentiation procedure is controlled as follows: The value of the signal EXP-SEL is determined by each bit e_(i) of the variable e. When the signal EXP-SEL is "0", step 2a of the exponentiation procedure is executed, and when the signal EXP-SEL is "1", step 2b of the exponentiation procedure is executed. Upon completion of the operation of Eq. (1), i.e. C≡M^(e) mod n, by the above calculation, the value of the signal CRYPT-end is altered from "0" to "1" and, upon application of the signal C-out, the variable C obtained by the calculation for cryptography is outputted.

With such an arrangement, the calculation for cryptography can be achieved following the principle of the present invention by connecting the quotient calculating unit 9 and the plurality of sliced sections as shown in FIG. 6. The same is true of the case where the quotient calculating unit 9 is divided into the quotient calculation pre-processing section 60 and the quotient calculation post-processing section 61.

Details of Sliced Sections

The registers 101, 103, 104 and 105 are formed as four-bit parallel input-output shift registers, as shown in FIGS. 16, 17, 18 and 19, respectively, and they are shifted by signals CT4, CT3, CT12, and CT6 and CT9, respectively. The register 104 is capable of presetting in parallel a 64-bit signal from a signal line 116 under the control of the signal CT11. In the case where the signal TAIL is "1" when the signal CT5 is provided, "1" is preset only in the least significant bit of the register 104 and other bits are preset to "0", and where the signal TAIL is "0", the register 104 is entirely cleared by the application of CT5. The register 105 is also controlled by the signal CT6 and capable of presetting the 64-bit signal M₂ in parallel. The register 102 is constituted as a one-bit shift register as shown in FIG. 20 and it is shifted by the signal CT1. In the sliced section 25₈, when the signal CT2 becomes "1", the register 102 is put in its circular operation. FIG. 21 illustrates a specific example of the selector 106.

FIG. 22 illustrates the general arrangement of an embodiment of the main adder 110. An M₁ ·M₂,j calculator 140 for calculating M₁ ·M₂,j seen in FIG. 22 is arranged as depicted in FIG. 23. A -Q_(j) ·n calculator 150 for operating -Q_(j) ·n is arranged as shown in FIG. 24. By the sign bit of the signal Q_(j) on a division control signal line 134 is controlled a selector (SEL-Q) 151 to select a signal n on a signal line 152 from the n-register 103 and a signal line 154 from the next lower-order sliced section and a signal n on a signal line 153 from the n register 103 and a signal line 155 from the next lower-order sliced section. And the selected signal and the signal Q_(j) on the signal line 134 are ANDed. An adder 160 seen in FIG. 22 is formed by three-input two-output carry save adders 161₁ to 161₁₀ as shown in FIG. 25. As shown in FIG. 26, the three-input two-output carry save adder 161 has 66 bits for each input and output, and the most significant one of 64 bits on the lower-order side in the adder 161 is branched to be applied to the corresponding carry save adder 161 of the next higher-order sliced section as indicated by a signal line 880. A signal applied via a signal line 880' from the corresponding lower-order side is provided to the side of the carry outputs from all the full adders FA. Circuits 170_(L) and 170_(R) in FIG. 22 are 66-bit registers as shown in FIG. 27. A circuit 180 in FIG. 22 adds two outputs from the adder 160 of this sliced section by a carry propagation adder 184 to produce output as shown in FIG. 28. Carries resulting from this addition are applied to the next higher-order sliced section one after another. In the most significant sliced section 25₁, carry components in the output from the adder 160 are added by an adder 186 and a portion of the addition result is supplied to the controller 8₁ via a signal line 187. A carry detector 190 in FIG. 22 performs ORing of NOT outputs of the exclusive ORs of corresponding bits of two added outputs from the adder 160 as shown in FIG. 29, and the detector 190 yields an output "0" or "1" depending on whether a carry to be transferred to the higher order is produced from the addition of the 66 bits in the adder 160.

In FIG. 22, selectors 301 and 302 are controlled by the signal CT10 to select a signal obtained by multiplying each calculation result of the corresponding registers 170_(L) and 170_(R) by 2⁴ and a signal corresponding directly to the calculation result. That is, in the case of the compensating calculation, the signal corresponding to the calculation result is selected and, when the signal obtained by the multiplication, high-order four bits from the next lower order sliced section are added to less significant side of the selected signal.

FIG. 30 shows the state in which the registers 101₁ to 101₈ of the sliced sections 25₁ to 25₈ shown in FIG. 6 are coupled together to form the register 1 of 512-bit length because 64×8=512. The register 1 stores the variable M of 512-bit length. FIG. 31 illustrates the state in which the registers 102₁ to 102₈ of the sliced sections 25₁ to 25₈ are coupled together to set up the e-register 2 of 512-bit length, which stores the variable e of 512-bit length. The e-register 2 has the function of circularly shifting signals of 512 bits to left bit by bit. FIG. 32 illustrates the state in which the registers 103₁ to 103₈ of the sliced sections 25₁ to 25₈ are coupled together to constitute the register 3 of 512-bit length, which stores the variable n of 512-bit length. FIG. 33 shows the state in which the registers 104₁ to 104₈ of the sliced sections 25₁ to 25₈ are coupled together to form the C-register 4 of 512-bit length, which stores the variable R(C) of 512-bit length. FIG. 34 shows the state in which the registers 105₁ to 105₈ of the sliced sections 25₁ to 25₈ are coupled together to form the M₂ -register 5 of 512-bit length, which stores the variable M₂ of 512-bit length. FIG. 35 shows the state in which the selectors 106₁ to 106₈ of the sliced sections 25₁ to 25₈ are coupled together to serve as the selector 6 of two inputs and 512-bit width.

FIG. 36 illustrates the state in which the main adders 110₁ to 110₈ of the sliced sections 25₁ to 25₈ are coupled together to form the main adder 10 of 514-bit width. FIG. 37 shows the state in which the M₁ ·M₂,j calculators 140₁ to 140₈ of each main adder 110 of the sliced sections 25₁ to 25₈ are coupled together and the input signal line 114_(a) (a=1, 2, . . . 8) are divided into input signal lines 114_(La) and 114_(Ra). Because of such coupling, ANDing of M₁ ·M₂,j (where M₁ is 512-bit and M₂,j is four-bit) in Eq. (20) can be performed. FIG. 38 shows the coupling state of the -Q_(j) ·n calculators 150₁ to 150₈ of each main adder 110 of the sliced sections 25₁ to 25₈, by which ANDing of -Q_(j) "·n in Eq. (20 ) can be carried out. FIG. 39 shows the coupling state of adders 160₁ to 160₈ of each main adder 110 of the sliced sections 25₁ to 25₈. FIG. 40 shows the coupling state of the registers 170_(L1) to 170_(L8) of each main adder 110 of the sliced sections 25₁ to 25₈. Also the registers 170_(R1) to 170_(R8) are similarly coupled. FIG. 41 shows the coupling state of the circuits 180₁ to 180₈ of each main 110 of the sliced sections 25₁ to 25₈. FIG. 42 shows the coupling state of the carry detectors 190₁ to 190₈ of each main adder 110 of the sliced sections 25₁ to 25₈ with the circuit 135₁ of the sliced section 25₁.

FIG. 43 is explanatory of operations in FIGS. 39 to 40. The circuits 160, 170_(L), and 170_(R) and 180 each perform a 66-bit calculation in the sliced sections 25₁ to 25₈ but, in the coupled state, the sliced sections 25₂ to 25₈ each perform a 64-bit calculation. Thus a calculation of a total of 512+2=514 bits is conducted. FIGS. 44 and 45 illustrate the coupling operation of the M₁ ·M₂,j calculator 140 in FIG. 37.

From input signal lines 114_(L1) to 114_(L8) in FIG. 37 are applied to the sliced sections 25₁ to 25₈ the variable M₁ by steps of 64 bits, from each of signal lines 114_(R1) to 114_(R7) are applied high-order three bits of the input on each of the signal lines 114_(L2) to 114_(L8) , and from a signal line 114_(R8) is applied a signal "0" of three bits. As a result of this, the ANDing of M₁ ·M₂,j (M₁ being 512-bit and M₂,j 4-bit) can be achieved. The number of significant digits used for the operation M₁ ·M₂,j is 514 from the low-order end, and 515th and higher-order bits are neglected but this does not matter for the reasons already described.

FIG. 46 shows the coupling operation of a -Q_(j) ·n calculator shown in FIG. 38 (also see FIG. 24). Signal lines 152₁ to 152₈ equally divides n (512 bits) into eight by steps of 64 bits, and apply them to the -Q_(j) ·n calculator from the side of the high-order position. Signal lines 153₁ to 153₈ equally divide inverted signals of the respective bits of n into eight by steps of 64 bits and apply then from the side of the high-order position. Signal lines 154₁ to 154₇ apply high-order four bits of the signals on the signal lines 152₂ to 152₈, respectively. A signal line 154₈ applies a signal "0000". Signal lines 155₁ to 155₇ apply high-order four bits of the signals on the signal lines 153₂ to 153₈. A signal line 155₈ applies a signal "0000" when the signal TAIL from a signal line 156 (see FIG. 24) is " 1". As a result of this, the ANDing of -Q_(j) " and n can be performed. The number of significant digits for the operation -Q_(j) "×n is 514 from the low-order end, and 515th and higher-order bits are neglected but this does not matter for the reasons already given.

FIG. 47 is explanatory of the coupling operation of the register 170 shown in FIG. 40. The registers 170_(L1) to 170_(L8) serve as a 514-bit register as a whole in the same manner as described previously in respect of FIG. 44. When the signal CT10 is "1", signals of the registers 170_(L1) to 170_(L8) are provided, as they are, on signal lines 171_(L1) to 171_(L8). When the signal CT10 is "0", signals resulting from shifting of the registers 170_(L1) to 170_(L8) to the high-order side by four bits are provided on the output signal lines 171_(L1) to 171_(L8). As a result of this, since values of R_(j+1),1 and R_(j+1),0 are stored in the registers 170_(L) and 170_(R), respectively, 2⁴ ·R_(j+1),1 and 2⁴ ·R_(j+1),0 are provided on the signal lines 171_(L) and 171_(R), respectively, when the signal CT10 is "0" and, when the signal CT10 is "1", R_(j+1),1 and R_(j+1),0 are provided on the signal lines 171_(L) and 171_(R). The condition CT10=0 permits the addition in Eq. (20) and the condition CT=1 permits the addition in Eq. (23).

FIG. 48 is explanatory of the coupling operation of a carry detector 190 shown in FIG. 42. Arrows 191₁ to 191₈ indicate signal values on output signal lines 66₁ to 66₈ of the carry detectors 190₁ to 190₈, respectively.

CONTROLLER

FIG. 49 shows the general arrangement of the controller 8, which comprises first to fifth controllers (CTL1), 230, (CTL2) 250, (CTL3) 260, (CTL4) 270, (CTL5) 280 and other related circuits. From an input signal line 203 are applied a signal CLOCK to all the controllers 230 to 280, the signals e-in, n-in and START to the first controller 230 and the signal C-out to the fifth controller 280. From an input signal line 205 is applied a signal CARRYEND to the fourth controller 270, and from an input signal line 206 is applied a signal SIGN to the fourth controller 270. On an output signal line 204 are provided signals CT2 and n-end from the first controller 230 and the signal CRYPT-end from the second controller 250. On an output signal line 220 of the fourth controller 270 is provided therefrom the signal CT10. On an output signal line 221 of the third controller 260 is provided therefrom the signal EXP-SEL. On an output signal line 227 connected to all the controllers are provided thereon the signals CT1 to CT12. An output signal line 251 of the second controller 250 transmits a signal SFT1 to an OR circuit 800, an output signal line 252 transmits the signal CT5 to the third controller 260 and the signal line 227, and an output signal line 253 transmits a signal es-end to the third controller 260. The third controller 260 applies the signal CT7 via an output signal line 263 to the fourth controller 270 and the signal line 227. The fourth controller 270 applies a signal MDEND via an output signal line 264 to the third controller 260 and a delay circuit 801. From the signal line 18 is supplied e_(i) in the variable e to the second controller 250.

FIGS. 50A₁ to 50U₁ and correspondingly continued FIGS. 50A₂ to 50U₂ show waveforms of the signals CLOCK, e-in, CT1, CT2, n-in, CT3, n-end, START, CT4, MDEND, CT5, SFT1, es-end, CT6, CT7, MDEND, e-out, CT11, CT12 and CRYPT-end which occur at respective parts of the controller of FIG. 49 while in operation.

Next, a description will be given, with reference to FIG. 50, of the operation of the controller 8 shown in FIG. 49. The controller 8 inputs thereinto and outputs therefrom signals for controlling the operation C≡M^(e) mod n in the following manner: The signal CLOCK of the cryptosystem is always applied to the controller 8. Upon application of the signal e-in at a moment t₁, the first controller 230 outputs therefrom the variable e input command signal CT1, by which the variable e is input bit by bit by 512 clocks. Upon completion of this, the first controller 230 outputs, at that moment t₂, the signal CT2 representing the completion of the input of the variable e.

Next, upon application of the signal n-in at a moment t₃, the first controller 230 yields the variable n input command signal CT3, inputting the variable n by steps of four bits by 128 clocks. Upon completion of this, the first controller 230 yields the signal n-end representing the completion of the input of the variable n at that moment t₄.

Next, when the signal START is applied at a moment t₅, the first controller 230 outputs a variable M input command signal CT4 commanding to input the variable M by steps of four bits by 128 clocks. Upon completion of the input of the variable M, the controller 230 yields the signal MDEND representing the end of the input of the variable M at that moment t₆. At the same time, the controller 230 yields the signal CT5 for initializing the registers (FIG. 15) within the cryptosystem prior to starting the operation C≡M^(e) mod n.

Next, the second controller 250 generates the signal SFT1 by which the content of the e-register 102 having stored therein the variable e is circularly shifted to left bit by bit, and outputs this signal as the signal CT1 via the OR circuit 800 starting at a moment t₇. At this time, the signal CT1 is provided as clock pulses of the same number as the number of 0s on the higher-order side of the variable e represented by 512 bits. When the most significant bit (MSB) of the 512-bit-wide e-register having stored therein the variable e becomes "1" after repeating such circular left shifting bit by bit, the second controller 250 yields the signal es-end representing completion of the signal SFT1 at a moment t₈. Then, the following various signals are produced for executing the steps 2a and 2b of the exponentiation procedure.

Upon outputting the signal es-end, the third controller 260 generates the signal CT6 for preparing the start of the operation for the multiplication-division R≡M₁ ×M₂ mod n first and then yields the signal CT7 indicating the operation. By this, all the main adders 110₁ to 110₈ of the sliced sections 25₁ to 25₈ respectively execute the multiplication-division R≡M₁ ×M₂ mod n. Upon reception of the signal MDEND indicating the completion of this multiplication-division at a moment t₉, the signal CT7 from the third controller 260 is made a 0. The signal CARRYEND on the signal line 205 and the signal SIGN on the signal line 206 are utilized during execution of the multiplication-division. This will be described later in detail. Upon each completion of the multiplication-division, the signals CT6 and SFT1 are output to repeatedly perform the operation C≡M₁ ×M₂ mod n. But when e_(i) of the variable e shifted into the most significant bit (MSB) of the e-register is "1" immediately after the execution of the step 2a of the exponentiation procedure, the signal SFT1 is "0". The signal CT7 is output as a signal indicating the periods of execution of the steps 2a and 2b of the exponentiation procedure. During execution of the multiplication-division, the signal EXP-SEL commanding switching of the selectors 106₁ to 106₈ is provided on the signal line 221. Here, when the value of the signal EXP-SEL is 0, the step 2a of the exponentiation procedure is executed and, when the signal EX-SEL is 1, the step 2b is executed. Upon completion of the exponentiation, the signal CRYPT-end is derived from the second controller 250.

Upon inputting the signal C-out commanding to bring out the variable C from the cryptosystem at a moment t₁₀, the fifth controller 280 outputs the signal CT12 instructing that the variable C be output by steps of four bits by 128 clocks, and the signal CT11 representing the period for which the signal CT12 is valid remains at 1 during the above operation.

In this way, the controller 8 inputs therein and outputs therefrom signals for controlling a series of calculations for inputting the variables e, n and M, executing the operation C≡M^(e) mod n and outputting the variable C.

The following will describe details of operations of the signals CARRYEND and SIGN and specific arrangements of the controllers 230, 250, 260, 270 and 280.

FIG. 51 illustrates a specific example of the first controller (CTL1) 230 and FIGS. 52A to 52J show the waveforms of signals which occur at respective parts of the first controller 230 while in operation, the waveforms being labeled with corresponding signal names on the left-hand side.

When the signal e-in from a signal line 231 is input via a delay circuit 805 to a flip-flop 806, the output from the flip-flop 806 goes to a 1 to open a gate 807. Then the signal CLOCK on the signal line 240 is applied via the gate 807 to a counter 808 for counting and, at the same time, it is applied to a gate 809 to output therefrom a signal CT1' on an output signal line 234. The signal CT1' is provided to the OR circuit 800 in FIG. 49, producing the signal CT1. When the count content of the counter 808 reaches 512, the gate 809 is closed. That is, 512 signals of CT1' are generated. Further, the output from the counter 808 is sent as the signal CT2 on a signal line 238. When the signal n-in is provided on a signal line 232, the signal CT3 is output from a signal line 235 by 128 clocks, after which the signal n-end is sent on a signal line 239. When the signals CT2 and n-end are both being generated, a gate 814 is opened. Next, when the signal START is applied to the gate 814 from a signal line 233, the signal CT4 is similarly output 128 times on a signal line 236 in synchronism with clocks by means of a flip-flop 815, gates 816 and 818 and a counter 817, after which the signal MEND is sent on a signal line 237. In this way, the first controller 230 controls inputting of the variables e, n and M.

FIG. 53 illustrates a specific example of the second controller (CTL2) 250 and FIGS. 54A to 54G show signal waveforms which occur at respective parts of the second controller 250 while in operation. When the signal MEND is applied via the signal line 237 from the first controller 230, the signal CT5 is provided on a signal line 252 from a gate 820 for the delay time of a delay circuit 819. Further, while the signal MEND is applied and the signal e_(i) from a signal line 256 remains at a 0, gates 821 and 822 are opened to permit the passage therethrough of the signal CLOCK, which is provided as the signal SFT1 on a signal line 251 via an OR circuit 823. By the signal SFT1 the e-register 102 in FIG. 15 is shifted to left. When the most significant bit of the e-register 102 of the sliced section 25₁ goes to a 1, the signal e_(i) from the signal line 256 also goes to a 1 to cause a Q output of a flip-flop 824 to go to a 1, opening a gate 825 and outputting the signal es-end via a gate 826 on a signal line 253. Thereafter, upon each application of the signal SFT2 from a signal line 254, it is output as the signal SFT1 via the gate 825 and the OR circuit 823. The outputs from the OR circuit 823, that is, the signals SFT1 are counted by a counter 827, which provides the signal CRYPT-end on a signal line 255 when having counted 512 after inputting of the signal CT5.

In this way, when supplied with the signal MEND representing completion of inputting the variable M, the second controller 250 performs control of circularly shifting the content of the e-register to left until its most significant bit goes to a 1, yielding the signal SFT1 for a circular shift of the e-register left one bit position upon each application of the signal SFT2 and outputting the signal CRYPT-end after the circular shift of the e-register left a total of 512 bit positions, i.e. after one circular shift cycle of the e-register.

FIG. 55 illustrates a specific example of the third controller (CT3) 260 in FIG. 49, and FIGS. 56A to 56H show, by way of example, signal waveforms which occur at respective parts of the third controller 260 while in operation.

Upon application of the signal CT5 via the signal line 252 from the second controller 250, flip-flops 828, 829, 830 and 831 are cleared. Upon application of the signal es-end via the signal line 253 from the second controller 250, the signal CT6 is provided via an OR circuit 832 on a signal line 261 and the flip-flop 831 is triggered via an OR circuit 833, providing a Q output of the flip-flop 831 as the signal CT7 on a signal line 263. The operation R=M₁ ×M₂ mod n is started and, upon completion of this calculation, the signal MDEND is input via a signal line 264 from the fourth controller 270, for example, at a moment t₁. The signal MDEND is applied via the OR circuit 833 to the flip-flop 831 to trigger it, causing the signal CT7 to go from a 1 to a 0. The signal e_(i) on the signal line 256 and the Q output of the flip-flop 828 are provided to a NOT EXCLUSIVE OR 834, and its output and the signal MDEND are provided to an AND gate 835, so that if the signal e_(i) is a 1 when the signal MDEND is applied at the moment t₁, the output from the NOT EXCLUSIVE OR 834 is a 0 and the output from the AND gate 835 remains at a 0, resulting in the signal SFT2 being not output on the signal line 254 as shown at a moment t₂. Moreover, since the signal MDEND, the signal e_(i) on the signal line 256 and an Q output of the flip-flop 828 are provided to an AND gate 836, the Q output from the flip-flop 828 goes to a 1 in the case where the signal e_(i) is at a 1 at the time of application of the signal MDEND. Furthermore, the signal MDEND at the moment t₁ passes through the flip-flops 829 and 830, thereafter being sent as the signal CT6 via a gate 837 and the OR circuit 832 on the signal line 261 at a moment t₃. The output from the flip-flop 830 is provided via a gate 838 and the OR circuit 833 to the flip-flop 831 to trigger it, generating the signal CT7 at a moment t₄. Consequently, the operation R≡M.sub. 1 ×M₂ mod n is resumed; namely, the step 2b is executed. When the signal MDEND is applied again at a moment t₅, the same operations as described above are carried out but, in the case where the signal e_(i) is at a 1, the output from the circuit 834 goes to a 1, yielding the signal SFT2 as shown at the moment t₆. In the case where the signal e_(i) is at a 0 when the signal MDEND occurs at the moment t₁, however, the output from the circuit 834 goes to a 1 to generate the signal SFT2 and, by the next signal CT7, the step 2a is executed. At this time, the Q output of the flip-flop 828 is made a 0.

Thus, in the exponentiation procedure, if the condition e_(i) =0 holds immediately after the step 2a, then the content of the e-register 102 is shifted one bit position and an operation i←i-1 is performed; if e_(i) =1 immediately after the completion of the step 2a, then the step 2b is executed and the content of e register 102 is shifted one bit position, thereafter the operation i←i-1 is executed. These procedures are repeated until i reaches 0. Since the gate 837 is closed when the signal CRYPT-end is applied via the signal line 255 from the second controller 250, even if the signal MDEND is applied, the signal CT6 is not generated as indicated at a moment t₆.

Thus, in the exponentiation procedure, after the calculation of the step 2 has been controlled, that is, after the variable e has been made e_(k), e_(k-1), . . . e₁, e₀ in the binary representation, the steps 2a and 2b are executed in the order i=k, k-1, . . . 1, 0.

FIG. 57 illustrates a specific example of the fourth controller (CTL4) 270 shown in FIG. 49, and FIGS. 58A to 58H show, by way of example, signal waveforms which occur at respective parts of the fourth controller 270 while operation. Upon application of the signal CT7 via the signal line 263 from the third controller 260, the signal CT8 is provided on a signal line 271 from a gate 840. By the signal CT8, a counter 841 and a flip-flop 842 are cleared, and counters 276 and 277 are cleared via an OR circuit 843. By the signal CT7, a gate 844 is opened, through which the signal CLOCK from the signal line 240 is applied to the counter 841 for counting and, at the same time, the signal CT9 is provided via a gate 845 on a signal line 272. When the counter 841 has counted the signal CLOCK up to 128, the gate 845 is closed by the output from the counter 841 to stop sending out of the signal CT9 but, on the other hand, a gate 846 is opened, permitting the counters 276 and 277 to start counting the signal CLOCK at a moment t.sub. 1. At the moment t₁ successive calculations of R₁ =M₁ ×M₂ mod n is completed and R₁ ≧0 is checked in Eq. (22). In the case where the signal CARRYEND is at a 0 on a signal line 275 when the counter 226 has counted the signal CLOCK up to two after the moment t₁, a gate 847 remains closed and, at a moment t₂ when the counter 277 has counted the signal CLOCK up to six, the output from the counter 277 is applied via an OR circuit 848 to a gate 849, by the output of which gates 850 and 851 are opened for a fixed period of time. At this moment t₃, the signal SIGN on a signal line 274, that is, the sign of ##EQU19## in Eq. (22), is checked. When the signal SIGN is 1, that is, when R₁ <0, the signal CT10 is sent on a signal line 275 via the gate 851. By this, the compensating calculation of Eq. (23) is performed. At this time, the counters 276 and 277 are cleared by the output of the gate 849 via the OR circuit 843 but, at a moment t₄ of completion of this clearing, the counters 276 and 277 start counting again. At a moment t₅ when the counter 276 has counted the signal CLOCK up to two, the gate 847 is opened and if the signal CARRYEND on the signal line 275 is 1, the output of the gate 847 is provided via the OR circuit 848 to the gate 849 and, by the output of the gate 849, the gates 850 and 851 are opened at t₆, checking the signal SIGN, that is, the sign of R₁. At this time, when the signal SIGN is at a 1, the signal CT10 is output at the moment t.sub. 6. Similarly, the compensating calculation of Eq. (23) is performed and then, at a moment t₇ when the gates 850 and 851 are opened, if the signal SIGN is at a 0, the signal MDEND is provided from the gate 850 on a signal line 264. By this signal MDEND, the signal CT7 is made a 0 as described previously in respect of FIG. 55. The signal CT7 is a signal that holds a 1 during the operation R=M₁ ·M₂ mod n. Further, a Q output of the flip-flop 842 is caused by the signal MDEND to go to a 1, and a gate 852 is opened, through which the supply of the signal CLOCK to the counters 276 and 277 is continued, preventing occurrence of the signal CT10 while the signal CT7 is at a 0.

In this way, the compensating calculation for the multiplications and divisions in Eqs. (22) to (24) can be controlled. FIG. 59 illustrates a specific example of the fifth controller 280 shown in FIG. 49 and FIGS. 60A to 60D show signal waveforms which occur at respective parts of the controller 280 while in operation. Upon application of the signal CRYPT-end via a signal line 282 from the second controller 250, a gate 853 is opened by the signal CRYPT-end. If the signal C-out is input from a signal line 281 in this state, a flip-flop 854 is driven via the gate 853 and its Q output goes to a 1, which is output as the signal CT11 on a signal line 283 via a gate 855. And, by the output of the flip-flop 854, a gate 856 is opened and the signal CLOCK on the signal line 240 is counted by a counter 857. At the same time, the signal CT12' is provided via a gate 858 on a signal line 284, and output as the signal CT12 via the OR circuit in FIG. 49, and the calculation result in the C-register 104 is output from the cryptosystem. When the counter 857 has counted up to 128, the gates 855 and 858 are both closed, stopping the both signals CT11 and CT12'.

After the operation C≡M^(e) mod n has thus been completed, the variable C of 512 bits can be output from the cryptosystem by steps of four bits by 128 clocks.

In the quotient calculation pre-processing section 60 shown in FIG. 7, n (2⁵¹¹ <n<2⁵¹²) is input and v is obtained by Eq. (15), i.e. v←[2¹³ ÷[n·2⁻⁵⁰⁴ ]]. A supplementary description will be given of the size of ROM 68 of the pre-processing section 60. The address of ROM 68 can be represented by a positive integer of eight-bit width based on the condition 2⁷ <[n·2⁻⁵⁰⁴ ]<2⁸. Since 2⁷ or less addresses are not used, however, the size of ROM 68 may be one-half of that of ROM having 2⁷ or less addresses. The value of v can be represented by a positive integer of six-bit width based on the condition 2⁵ <v<2⁶. But the most significant bit (MSB) of v is always 1 and this value is fixed, so that the value of v except for the "1" of the most significant bit is stored in ROM 68 using five bits and, when to refer to the value of v, one bit having a value "1" is added as the most significant bit of v by an inverter 859. It is also possible, of course, to arrange the pre-processing section 60 so that the ROM itself inputs therein n of eight bits and outputs therefrom v of six bits.

COMPENSATING CALCULATION

The calculations of Eqs. (20) and (21) are repeated and it is checked whether a compensating calculation is required in Eq. (22), and if necessary, the compensating calculation is performed. A description will be given, with reference to FIG. 22, of the compensating calculation. In the period during which the value of the signal CT10 on a signal line 300 holds zero, that is, in the period in which mainly the operations of Eqs. (17) to (22) are performed, input signal lines 303 and 304 of the selectors 301 and 302 are selected and the value of the variable R_(j+1),i is shifted left four bit positions in each of circuits 861 and 862, selecting value 2⁴ ·R_(j+1),i necessary for calculating Eq. (20).

When the signal CT10 on the signal line 300 has a value 1, that is, when the compensating calculation of Eq. (22) is executed, input signal line 305 and 306 of the selectors 301 and 302 are selected, that is, the value of the variable R_(j+1),i is selected. In the quotient calculation post-processing section 61 shown in FIG. 8, the selector 83 selects the output of a circuit 75₃ by the signal CT10 and Q_(j) "=-1 is provided via the signal line 22 to the -Q_(j) ·n calculator 150 in FIG. 22. Furthermore, as shown in FIG. 15, an AND gate 136 is supplied with an inverted signal of the signal CT10, and hence is closed, and the output of the M₂ -register 105 is not provided on the signal line 105_(L). And, the value of the signal on the signal line 105_(L), that is, the value δ₄(j-)+i ·2^(i) (i=0, 1, 2, 3) of the signal M-SIG on a signal line 21 in FIG. 6, namely, M₂,j, becomes 0 and, as a result of this, Eq. (23) is calculated in the adder 160.

This compensating calculation can be changed as follows: ##EQU20##

The compensating calculation by Eqs. (22') to (24') can be implemented, for instance, as shown in FIG. 61. The outputs R_(j+1),1 and R_(j+1),0 of the registers 170_(L) and 170_(R) are respectively applied via signal lines 313 and 314 to the selectors 311 and 312 at one input thereof and, at the same time, the register outputs are respectively shifted by the circuits 861 and 862 to the left by four bit positions and supplied to the adder 160. High-order 66 lines of the signal line 308 are connected as a signal line 315 to the other input of the selector 311. The signal line 309 is added with high-order two bits and connected as a signal line 316 to the other input of the selector 312. The number of lines of the output signal line 116 is not 64 but increased to 66 and this output is input to the register 104 shown in FIG. 15, from which it is input via the signal line 114 to the main adder 110, so that the input signal line 114 is composed of 66 and three lines.

While the signal CT10 assumes a value 0, that is, while the repetitive calculations Eqs. (7) to (12) and (21') are executed, the selectors 311 and 312 select the signal lines 313 and 314, whereby Eq. (22') is correctly calculated.

When the signal CT10 assumes a value 1, the signal lines 315 and 316 are selected and, in the adder 180, the signals R₁ and n from the selectors 311 and 312 are added. As a result of this, Eq. (23') is correctly computed. The value of the eight-divided signal R₁ on the output signal line 116 of the main adder 110' is provided to the signal line 308 shown in FIG. 61 via the register 104 and the signal line 114 shown in FIG. 15. In other words, the values eight-divided from signals R₁ and n are obtained on the signal lines 315 and 316, respectively, in consequence of which the calculation R₁ ←R₁ +n, i.e. Eq. (23') is correctly performed. Here, the value eight-divided from the signal n represents 64 bits obtained by dividing the variable n of 512-bit width equally into eight. The values of the eight-divided signal R₁ represent eight groups of bits obtained by dividing the 514-bit-width variable R₁ into a group of 66 bits and seven 64-bit groups (i.e. 514=66+64×7). In this case, since the adder 160 is not used for the compensating calculation, the circuit 75₃, the selector 83 and the signal line 20 in FIG. 8 are unnecessary, and the signal line 82 is connected directly to the signal line 22. Furthermore, the gate 136 in FIG. 15 is also unnecessary and the four output signal lines of the M₂ -register 105 are connected directly to the signal line 105_(L). Besides, the C-register 104 in FIG. 15 is made 66-bit-wide, not 64-bit-wide and, in the coupling of the registers 104₁ to 104₈ shown in FIG. 33, the register 104 is constituted as a 514-bit-wide register based on the calculation 512+2=514 as is the case with FIG. 44.

MODIFICATION OF -Q_(j) ·n CALCULATOR

A description will be given of the main point of another example of the -Q_(j) ·n calculator 150 shown in FIG. 22. |Q_(j) "| is represented as a binary number ##EQU21## For instance, in the case where |Q_(j) "|=11011, ##EQU22## With such a representation, |Q_(j) "|·n requires 5×66 bits if Q_(j) " is represented as a mere binary number but, if Q_(ja), Q_(jb) and Q_(jc) are used, 3×66 bits are sufficient for 2⁵, -2² and -1, so that 2×66 bits become unnecessary, permitting the reduction of the number of inputs to the carry save adder 160 shown in FIG. 22. FIG. 62 illustrates, by way of example, the circuit arrangement therefor corresponding to that depicted in FIG. 24. In FIG. 62, Q_(ja), Q_(jb) and Q_(jc) generators 502, 503 and 504 respectively input therein Q_(j) " from the signal line 134 and compute Q_(ja), Q_(jb) and Q_(jc) of the logic shown in FIGS. 63, 64 and 65, thereafter outputting the calculation results. For example, in FIG. 63, a column 2⁴ of D-SIG input indicates the digit position of 2⁴ of |Q_(j) "| represented as a binary number. The same is true of 2³. 2⁴, 2⁵, -2⁴ and -2⁵ in the column of output indicate output terminals of the Q_(ja) generator 502 and are caused to have a 1. 0 in the column of output indicates that the signal value at the output terminal is at a 0. For instance, in the case where q_(s), 2⁴ and 2³ in a column of input are 0, 1 and 1, it indicates that a signal at the output terminal 2⁵ is caused to have a 1. As a result of this, the quantity of data representing -Q_(j) "·n is decreased, permitting reduction of the circuit scale of the carry storage type adder 160.

NUMERICAL EXPRESSION OF THE PRINCIPLE OF THE MULTIPLIER-DIVIDER, THE PRINCIPLE PART OF THE CRYPTOSYSTEM OF THE PRESENT INVENTION

The principle of obtaining the quotient Q and the remainder R of a multiplication-division of integers (M₁ ×M₂)÷n is shown as a theorem and a system of theorem by numerical expressions.

Theorem

The quotient Q and the remainder R of the multiplication-Division of integers (M₁ ×M₂)÷n can be obtained as described hereinafter by Eqs. (F20) to (F22) based on I_(j) and R₁ obtained by repeating recurrence formulae of Eqs. (F14) to (F19) in an order j=l, l-1, . . . , 2, 1 on the premise of Eqs. (F1) to (F13). Here, Eq. (F17) represents the range over which I_(j) is obtainable with Eq. (F16), and Eq. (F18) indicates the method of calculation of R_(j). In the equations, n, M₁, M₂, R_(j+1) and R_(j) are variables, m, K, A, λ, ω, S, t₁, and t₂ constants and α_(j) a random number the value of which irregularly varies as the value of j is changed, t₁ and t₂ being real numbers and the others being integers. Incidentally, since α_(j) naturally occurs, there is no need of taking it into account when forming adders. This means that α_(j) may be neglected, for example, in Eq. (F16).

If a multiplication-division (M₁ ×M₂ ')÷n' is performed with M₂ '=M₂ ×2 and n'=n×2 so as to obtain the quotient Q and the remainder R of the multiplication-division (M₁ ×M₂)÷n, the least significant bit δ₀ ' of M₂ ' is always 0, so that it is not a difficult condition to cause Eq. (F13) to hold when ω=1. However, since R=[R₂ ÷2] and Q=Q₂ hold for the quotient Q₂ and the remainder R₂ of (M₁ ×M₂ ')÷n', the least significant bit of R₂ is unnecessary for R.

The addition of Eq. (F18) is applied to the case of using a carry save type adder, but this addition can also be performed using a carry propagation adder, with α_(j) =0 and A=1. In the following, a constant may sometimes be called a parameter. ##EQU23##

Corollary of Theorem

Corollaries of the theorem will be given below on the assumption that the range of application of the theorem is extended. Here, a combination of corollaries 2 and 3 is impossible but a desired combination of other corollaries is possible; for example, corollaries 1, 2, 4 and 5 can be applied at the same time. Next, abridged notations X and X' and a random number β_(j), which irregularly changes its value with variations in j, are defined by the following equations: ##EQU24## where ψ and β_(j) are integers.

Corollary 1

I_(j) can be obtained with Eq. (F29) instead of Eq. (F16). But when Eq. (F29) is used, S in the theorem is replaced with S'. Incidentally, the use of a carry propagation adder for the addition of Eq. (F18) means that the application of the corollary 1 is meaningless. ##EQU25##

Corollary 2

Eqs. (F30) and (F31), but Eq. (F16) can be obtained from Eqs. (F32) to (F34) on the premise that w is an integer. In this case, however, Eqs. (F8), (F18), (F19) and (F21) become (F8)", (F18)", (F19)" and (F21)", respectively. ##EQU26##

That is, a unit of I_(j) ' is used instead of I_(j).

Corollary 3

Instead of Eq. (F16) for calculating I_(j), I_(j) can be obtained from Eqs. (F35) and (F36). In this case, however, let Eqs. (F7), (F8) and (F19) be Eq. (F7)', (F8)' and (F19)', respectively.

    X+[(-I.sub.j)n·2.sup.-m ]≧0                (F35)

    X+[(-I.sub.j -1)n·2.sup.-m ]<0                    (F36)

    -2.sup.k +1+ω≦S≦2.sup.k+1 -A-1-2ω(F7)'

    2.sup.m+1 -n·t.sub.2 ≦S·2.sup.m ≦t.sub.1 ·n-ω·2.sup.m                      (F 8)'

    -(S+A)·2.sup.m +ω·δ.sub.(j-1)λ [M.sub.1 ·2.sup.-m ]2.sup.m ≦R.sub.j

    <n+(2-S)2.sup.m +ω·δ.sub.(j-1)λ [M.sub.1 ·2.sup.-m ]2.sup.m                               (F 19)'

Corollary 4

The quotient Q and the remainder R can be obtained, letting the lower and upper limit values of I_(j) expressed by Eq. (F17) be -I₁ +1 if A·2^(-k) +t₁ ≧0 and I₂ -2 if t₂ ≧0, respectively. In this case, I₁ in the theorem becomes I₁ -1 and I₂ becomes I₂ -2.

Corollary 5

By obtaining R_(j) from Eq. (F18) using I_(j) '=I_(j) +I_(j0) ' (where I_(j0) '=±1, ±2, . . . ) for I_(j) obtained by Eq. (F16), the range of R_(j) is given by Eq. (37). If this range of R_(j) is included in the range of R_(j+1), then the theorem holds. When the corollary 5 is combined with the corollary 3, the range of R_(j) is given by Eq. (F38) and when combined with corollary 4, the range is given by Eq. (F39). When this corollary is combined with both of the corollaries 3 and 4, the range of R_(j) is given by Eq. (F38). In the case where only one of the lower and upper limit values of I_(j) is used for the corollary 4, I₁ -1 and (I₂ +2)-2 in Eq. (F39) respectively become I₁ and (I₂ +1) corresponding to the lower and upper limit values. ##EQU27##

SPECIFIC EXAMPLES OF EXPRESSIONS OF THEOREM AND COROLLARIES

The following will show by way of example that the principle of the multiplier-divider could be expressed in various forms by suitable definition of constants shown in the theorem and its corollaries. In the following, those expressions are omitted which would inevitably result from definition of the constants. As regards those equations which would become easy to understand by changing their numerical expressions, they are represented with their expression changed.

EXAMPLE 1

This is an example in which the constants K, A, λ, ω, S, t₁ and t₂, excepting m, are K=7, A=1, λ=4, ω=0, S=26, t₁ =185/128 and t₂ =0. The corollaries used are the corollary 1, the corollary 2, where w=5, and the corollary 4. ##EQU28##

EXAMPLE 2

This is an example in which I₁ and I₂ are determined using the corollary 4 and then the corollary 3 is applied.

(A) Precondition

The constants K, λ, ω, t₁, t₂ and S, excepting m and A, are determined by the following equations. ξ is a newly defined variable.

    K≧2

    X=1

    ω=0

    t.sub.1 =2.sup.-k+1

    t.sub.2 =0

    2.sup.ξ ≧A+S

    S=2

(B) Calculations of the Constants

By obtaining I₁ and I₂ using the corollary 4, I₁ =1 and I₂ =2 are obtained, and -1≦I_(j) ≦2 holds.

Next, defining a variable Q_(j) which equals I_(j) +1, it follows that 0≦Q_(j) ≦3. Here, since the corollary 4 is applied, for example, when Q_(j) ≦4 is obtained, it is set that Q_(j) =3.

Setting ##EQU29## the relation M₂,J '=δ_(j) holds on the conditions ω=0, λ=1. Therefore, the following equations holds by the corollary 3:

    [(2·R.sub.j+1)2.sup.-m ]+[(δ.sub.j ·M.sub.1)2.sup.-m ]+2+α.sub.j

     +[(1-Q.sub.1)n·2.sup.-m ]≧0

    [(2·R.sub.j+1)2.sup.-m ]+[(δ.sub.j ·M.sub.1)2.sup.-m ]+2+α.sub.j

     +[(-Q.sub.j)·n·2.sup.-m ]<0

Obtaining the range of R_(j) from Eq. (F19), the following equation is obtained using S+A≦2.sup.ξ : ##EQU30##

Eq. (F18) becomes as follows:

    R.sub.j =2R.sub.j+1 +δ.sub.j ·M.sub.1 +(1-I.sub.j)·n

Taking into account that j=l, l-1, . . . 1, 0, Eq. (F20) becomes as follows:

    R=R.sub.0 +δ.sub.3j ·n

where ##EQU31##

It will easily be understood that in the case of δ_(3j) =1 the expected value of δ_(3j) =1 becomes 2^(-k+)ξ-1 on the assumption that R₀ is uniformly distributed in the section of ##EQU32##

(C) Summary of the Constants and Equations

The following equation (H6) holds for R_(j) (where j=q, q-1, . . . 1, 0) defined by the following equations (H1) to (H5) shown as equations summarizing the above, and the quotient Q and the remainder R of (M₁ ×M₂)÷n are given by the following equation (H7), where when δ_(j) =1 and Q_(j) =3 holds at the same time, it is regarded that Eq. (H2) and (H3) hold. ##EQU33##

Mean value is 2^(-k+)ξ-1 when δ=1.

EXAMPLE 3

This is an example in which the corollaries 1, 2 and 4 are employed and, when j=1, the corollary 5 is further used, and in which the constants K, A, λ, ω, S, t₁, and t₂, excepting m, are set as follows: K=11, A=1, λ=8, ω=1, S=405, t₁ =1+1173/2048 and t₂ =1. Moreover, the value of w in the corollary 2 is set as w=10. ##EQU34##

EXAMPLE 4

This is an example in which the values of I₁ and I₂ are defined using the corollary 4 and then the corollaries 1 and 4 are applied.

(A) Precondition

At first, the constants are defined by the following equations, in which X_(j) ", Q_(j) " and Z_(j),μ are constants to be newly defined.

    K=λ+2

    L=the number of significant digits,

i.e.

    2.sup.L-1 ≦n<2.sup.L

    t.sub.1 =2-2.sup.-K

    t.sub.2 =0

A two-output carry save adder is used.

That is, A=1, α_(j) =0, 1 ##EQU35##

(B) Calculation of the Constants

I₁ and I₂ obtained using the corollary 4 are as follows:

    I.sub.1 =2.sup.λ+1, I.sub.2 =2.sup.λ+1 -2

From Eq. (F1), L=m+K+1∴m=L-λ-3

The range of S is obtained from Eqs. (F7) and (F8). But the range of S is made smaller than that obtained by calculation and ω is eliminated.

    2.sup.λ+1 +2≦S≦2.sup.λ+2

From Eqs. (F15) and (F19) the ranges of R_(j+1) and R_(j) are obtained. The following is simplified representation of the ranges of R_(j+1) and R_(j) using the condition

    M.sub.1 =[M.sub.1 ·2.sup.-m ]·2.sup.m +2.sup.m ·ε,

where

    0≧ε<1, [M.sub.1 ·2.sup.-m ]·2.sup.m ≦M.sub.1.

    -2n+ω·δ.sub.Jλ ·M.sub.1 ≦R.sub.j+1 <n+ω·δ.sub.jλ ·M.sub.1

    -n+ω·δ.sub.(j-1)λ ·M.sub.1 <R.sub.j <n+ω·δ.sub.(j-1)λ ·M.sub.1

From the corollary 2, ##EQU36## From Eq. (F17), -2.sup.λ+1 ≦I_(j) ≦2.sup.λ+1 -2.

Since Q_(j) "=I_(j) '=I_(j) +δ_(j) *, where δ_(j) *=0 or 1, the range of Q_(j) " is defined by -2.sup.λ+1 ≦Q_(j) "≦2.sup.λ+1. However, when Q_(j) " obtained from Eq. (F32) is Q_(j) "=-2.sup.λ+1, then Q_(j) " may be set as Q_(j) "=-2.sup.λ+1 +1 and when Q_(j) "=2.sup.λ+1, then Q_(j) " may be set as Q_(j) "=2.sup.λ+1 -1. As a result, the range of Q_(j) " may be defined as follows:

    -2.sup.λ+1 +1≦Q.sub.j "≦2.sup.λ+1 -1

But when Q_(j) " obtained from Eq. (F32) is Q_(j) "=-2.sup.λ+1, set Q_(j) "=-2.sup.λ+1 +1, and when Q_(j) "=2.sup.λ+1, set Q_(j) "=2.sup.λ+1 -1.

(C) Summary of Calculation Method of Parameters

At first L, λ, l, and ω are determined and then a set of integers n, S and u is obtained.

    L=the number of significant digits (the number of bits)

    λ=the length of division of M.sub.2

    l=ceil {L÷λ}

    ω=0 or 1

    m=L-λ-3

    2.sup.λ+1 +2≦S≦2.sup.λ+2

    u≧2λ+4

where when ω=1, λ is an even number. ceil {x} indicates a minimum integer greater than x; for example, ceil {1.5}=2.

(D) Execution of Calculation

(a) Preparation

At first, n is input to obtain v. v=[2^(u) ÷[n·2^(-m) ]]

Next, M₁ and M₂ are input.

(b) Repeated Calculation

The calculation method is shown below in the form of a program flowchart.

Step 0:

    j←l, R.sub.l+1,1 ←0, R.sub.l+1, ←0

Step 1: ##EQU37## where -2^(u) <X_(j) "<2^(u)

Step 2: ##EQU38## where when Q_(j) "=-2.sup.λ+1, set Q_(j) "=-2.sup.λ+1 +1, when Q_(j) "=2.sup.λ+1, set Q_(j) "=2.sup.λ+1 -1.

Step 3: ##EQU39##

Step 4:

When j=1, go to step 5.

Then j←j=1, go back to step 1.

Step 5: Repeated Calculation ends.

(c) Repeated Calculation

Step 6: ##EQU40##

If R₁ ≧0, then go to step 8.

Step 7: ##EQU41##

Go back to step 6.

Step 8: When R₁ ≧ω·n, R₁ ←R₁ -n R←R₁. Halt.

EXAMPLE 5

This is an example in which K=λ+3 is set in place of K=λ+2 in Example 4. The other conditions are the same as those in Example 4. Only differences between the two example are given below.

    K=λ+3

    m=L-λ-4

    μ≧2λ+5

The aforementioned embodiment of the present invention is described in connection with the case where L=512, λ=4, l=128 and ω=0 and m=504, S=38 and u=13 are adopted.

Furthermore, it will easily be seen that, by setting K=λ+i', i'=4, 5, . . . , such various expressions as described above in respect of Examples 4 and 5 can be obtained.

VERIFICATION OF NUMERICAL EXPRESSIONS OF THE PRINCIPLE OF THE MULTIPLIER DIVIDER Verificaton of Theorem Preparation of Verification

The following are definitions of abridged numerical expressions:

    R.sub.-m =[(2.sup.λ ·R.sub.j+1)2.sup.-m ]  (F67)

    M.sub.-m =[(M.sub.1 ·M.sub.2,j ')2.sup.-m ]       (F68)

    ω.sub.-m =[(-ω·δ.sub.jλ 2.sup.λ ·M.sub.1)2.sup.-m ]                              (F69)

    ω.sub.-m-1 =[(ω·δ.sub.(j-1)λ ·M.sub.1)2.sup.-m ]

     =ω·δ.sub.(j-1)λ [M.sub.1 ·2.sup.-m ](F70)

From Eq. (F15),

    -A·n·2.sup.-k+λ -2.sup.λ ·t.sub.1 ·n+ω·δ.sub.jλ 2.sup.λ M.sub.1 ≦2.sup.λ R.sub.j+1

    <2.sup.λ ·n+2.sup.λ t.sub.2 ·n+ω·δ.sub.jλ 2.sup.λ M.sub.1 (F 71)

Setting h=K-λ-log₂ A, from Eq. (F3),

    h≧0                                                 (F72)

Omitting low-order m bits on either side of Eq. (F71),

    [(-n·2.sup.-h -2.sup.λ ·t.sub.1 ·n+ω·δ.sub.jλ 2.sup.λ M.sub.1)2.sup.-m ]≦R.sub.-m                        (F 73)

    R.sub.-m <[(2.sup.λ ·n+2.sup.λ ·t.sub.2 ·n+ω·δ.sub.jλ 2.sup.λ M.sub.1)2.sup.-m ]                                        (F74)

On the other hand, the following equation holds for the real number x_(i) and an integer φ where δ.sub.φ is an integer. ##EQU42## When ω≠0, applying Eq. (F75) to M₁ ×Eq. (F10),

    M.sub.-m =[(M.sub.1 ·M.sub.2,j)2.sup.-m ]+ω.sub.-m +ω.sub.-m-1 +γ.sub.3 ·ω        (F77)

    γ.sub.3 =0, 1 or 2                                   (F78)

From Eq. (F9)×M₂,j

    0≦[(M.sub.1 ·M.sub.2,j)2.sup.-m ]<[(n·M.sub.2,j)2.sup.-m ]                       (F79)

From Eqs. (F77) and (F79),

    ω.sub.-m +ω.sub.-m-1 +γ.sub.3 ·ω≦M.sub.-m                         (F 80)

    M.sub.-m <ω.sub.-m +ω.sub.-m-1 +γ.sub.3 ·ω+[(n·M.sub.2,j)2.sup.-m ]       (F81)

Next, substituting Eqs. (F67), (F68) and (F70) into Eq. (F16) ##EQU43## On the other hand, the following equation holds for the integer I and the real number x:

    [I+x]=I+[x]                                                (F84)

Accordingly, removing the Gaussian symbols from the both sides of Eqs. (F82) and (F83) and omitting the decimal point, Eqs. (F82) and (F83) become the following equations because R_(-m), S, α_(j) and ω_(-m-1) are respectively integers.

    R.sub.-m +M.sub.-m +S+α.sub.j -ω.sub.-m-1 +[(-I.sub.j)·[n·2.sup.-m ]]≧0    (F82)'

    R.sub.-m +M.sub.-m +S+α.sub.j -ω.sub.-m-1 +[(-I.sub.j -1)·[n·2.sup.-m ]]<0                    (F83)'

However, the following equation holds for the integer I and the real number x>0, with P an integer.

    [(-I)·[x]]=[(-I)·x]+P                    (F85)

where ##EQU44## The following is assumed letting I₁ ' and I₂ ' be integers as condition of I_(j). ##EQU45##

(A) When I_(j) <0:

Eqs. (F85) to (F88) are applied to Eqs. (F82)' and (F83)'.

    R.sub.-m +M.sub.-m +S+α.sub.j -ω.sub.-m-1 +[(-I.sub.j)n·2.sup.-m ]+P.sub.1 ≧0       (F89)

    R.sub.-m +M.sub.-m +S+α.sub.j -ω.sub.-m-1 +[(-I.sub.j -1)n·2.sup.-m ]P.sub.1 <0                        (F90)

    -I.sub.1 '≦P.sub.1 ≦0                        (F91)

(B) When I_(j) ≧0:

The following equations are obtained in the same manner as described above.

    R.sub.-m +M.sub.-m +S+α.sub.j -ω.sub.-m-1 +[(-I.sub.j)n·2.sup.-m ]+P.sub.2 ≧0       (F92)

    R.sub.-m +M.sub.-m +S+α.sub.j -ω.sub.-m-1 +[(-I.sub.j -1)n·2.sup.-m ]+P.sub.2 <0                       (F93)

    0≦P.sub.2 ≦I.sub.2 '+1                       (F94)

Lower Limit Value of I_(j) (left side of Eq. (F17))

Using U for the left side of Eq. (F89) and substituting with I_(j) =-2.sup.λ t₁ -2,

    R.sub.-m +M.sub.-m +S+α.sub.j -ω.sub.-m-1 +[(2.sup.λ t.sub.1 +2)n·2.sup.-m ]+P.sub.1 =U               (F95)

From Eq. (F73)+Eq. (F88)+Eq. (F95),

    [(-n·2.sup.-h -2.sup.λ ·t.sub.1 ·n+ω·δ.sub.jλ ·2.sup.λ M.sub.1)2.sup.-m ]+ω.sub.-m +ω.sub.-m-1

     +γ.sub.3 ·ω+S+α.sub.j -ω.sub.-m-1 +P.sub.1 +[(2.sup.λ t.sub.1 +2)n·2.sup.-m ]≦U

Applying Eq. (F75) to the above equations in the cases of ω=0 and ω≠0 separately,

    [(1-2.sup.-h)n·2.sup.-m +n·2.sup.-m ]-γ.sub.2 +γ.sub.3 ·ω+S+α.sub.j +P.sub.1 ≦U (F96)

    γ.sub.2 =0, . . . 1+ω                          (F97)

    ∴[(1-2.sup.-h)n·2.sup.-m ]+[n·2.sup.-m ]+ε.sub.1 -γ.sub.2 +γ.sub.3 ω+S+α.sub.j +P.sub.1 ≧U                                        (F98)

where,

    ε.sub.1 =0 or 1                                    (F99)

From Eq. (F72), [(1-2^(-h))n·2^(-m) ]≧0, and from Eq. (F1) 2^(K) ≦[n·2^(-m) ]. Therefore, when the left side of Eq. (F98) becomes minimum when ε₁ =0, γ₂ =1+ω, γ₃ =0, α_(j) =0, P₁ =-I₁ '.

    ∴2.sup.K -(1+ω)+S-I.sub.1 '≦U         (F100)

Accordingly, if I₁ ' is selected such that I₁ '=[2.sup.λ t₁ +2]≧1, the condition of Eq. (F88) is satisfied by Eq. (F7) and I₁ '=I₁, resulting in the following equation holding:

    0≦U                                                 (F101)

Further, when I_(j) <-2.sup.λ t₁ -2, the Eq. (F89) holds but Eq. (F90) does not hold.

    ∴-I.sub.1 ≦I.sub.j                          (F 102)

Upper Limit Value of I_(j) (right side of Eq. (F17))

Using V for the left side I_(j) =2.sup.λ+1 +2.sup.λ ·t₂ in Eq. (F93), it follows from 2.sup.λ+1 =2.sup.λ +2.sup.λ that

    V=R.sub.-m +M.sub.-m +S+α.sub.j -ω.sub.-m-1 +[(-2.sup.λ n-2.sup.λ n-2.sup.λ t.sub.2 -n)2.sup.-m ]+P.sub.2 (F 103)

Eq. (F74)+Eq. (F81)+Eq. (F103) ##EQU46## Eq. (F75) of the formula is applied to Eq. (F105) ##EQU47## where

    ε.sub.1 =0 or 1                                    (F107)

    γ.sub.4 =0, 1, 2 or 3                                (F108)

    γ.sub.3 =0, 1 or 2                                   (F78)'

However, [(-2n)2^(-m) ]≦-2^(k+1) holds from Eq. (F1) and M₂,j ≦(2.sup.λ-1), that is, [(M₂,j -(2.sup.λ -1))n·2^(-m) ]≦0 holds from Eq. (F12). Since the right side of Eq. (F106) becomes maximum when ε₁ =1, γ₄ =0, γ₃ =2, α_(j) =A, P₂ =I₂ '+1,

    V<-2.sup.k+1 +1+2ω+S+A+I.sub.2 '+1                   (F109)

Accordingly, if I₂ ' is selected such that I₂ '=[2.sup.λ+1 +2.sup.λ ·t₂ ]≧0, then the condition of Eq. (F88) is satisfied by Eq. (F7) and, from Eq. (F7), the following equation holds with I₂ '=I₂.

    V<0                                                        (F110)

On the other hand, when I_(j) ≦2.sup.λ+1 +2.sup.λ ·t₂, Eq. (F93) holds but Eq. (F92) does not.

    ∴I.sub.j ≦I.sub.2                           (F 111)

Range of R_(j) (Verification of Eq. (F19))

Eq. (F75) is applied to Eqs. (F89) and (F92) to substitute therein Eq. (F18).

    [(R.sub.j)2.sup.-m ]-γ.sub.3 +S+α.sub.j -ω.sub.-m-1 +P≧0                                               (F112)

where

    γ.sub.3 =0, 1 or 2                                   (F113) ##EQU48## The left side of the above equation becomes minimum when γ.sub.3 =0, α.sub.j =A, P=P.sub.2 =I.sub.2 +1. ##EQU49## Next, Eq. (F75) to Eqs. (F90) and (F93) to substitute thereinto Eq. (F18). ##EQU50## where

    γ.sub.3 =0, 1 or 2                                   (F117) ##EQU51## The right side of the above equation becomes maximum when γ.sub.3 =2, α.sub.j =0, P=P.sub.1 =-I.sub.1. ##EQU52## By Eqs. (F115) and (F119) it has been verified that Eq. (F19) holds.

RELATIONSHIP BETWEEN RANGES OF R_(j+1) AND R_(j) ((F15) AND (F19))

Next, the fact that the range of R_(j) given by Eq. (F19) is smaller than the range of R_(j+1) given by Eq. (F15) is shown using j+1 for j and δ_(j)λ for δ.sub.(j-1)λ in Eq. (F19).

Set R_(U) =(upper limit value of R_(j+1) -upper limit value of R_(j)). ##EQU53## Therefore, from Eq. (F8)

    R.sub.U ≧0                                          (F121)

Set R_(L) =(lower limit value of R_(j) -lower limit value of R_(j+1)). ##EQU54## Therefore, from Eq. (F8)

    R.sub.L ≧0                                          (F122)

By Eqs. (F121) and (F122) it has been verified that the range of R_(j) is included in the range of R_(j+1).

Accordingly, the recurrence formula shown by Eqs. (F14) to (F19) repeat in order j=l, l-1, . . . 2, 1, and R_(l), R_(l-1), . . . , R₂, R₁ and I_(l), I_(l-1), . . . I₂, I₁ can be obtained.

CALCULATION OF R AND Q (EQS. (F120) TO (F122))

The following equation is obtained by performing an operation ##EQU55## on both sides of Eq. (F20). ##EQU56## Accordingly, substituting R_(l+1) =0, δ_(l)λ =0, δ₀ =0 and M₂ from Eqs. (F11) to (F14) to the above equation, ##EQU57## On the other hand, the following equation holds for the quotient Q and the remainder R of (M₁ ×M₂)÷n.

    R=M.sub.1 ×M.sub.2 -n×Q                        (F125)

From Eqs. (F123) and (F125) it follows that

    R-R.sub.1 =-n×(Q-Q.sub.1)                            (F126)

Since Q and Q₁ are integers, it is seen that the difference between R and R₁ is an integral multiple of n. And R₁ satisfies Eq. (F19), but I₁ and I₂ are substituted thereinto.

    ∴-(S+A+[2.sup.λ+1 +2.sup.λ ·t.sub.2 +1])2.sup.m +ω·δ.sub.0 [M.sub.1 ·2.sup.-m ]·2.sup.m

     ≦R.sub.1 <n+(2-S+[2.sup.λ ·t.sub.1 +2])·2.sup.m +ω·δ.sub.0 [M.sub.1 ·2.sup.-m ]2.sup.m

However, since 0<ω·δ₀ [M₁ ·2^(-m) ]·2^(m) <nω holds from Eq. (F9), the following equation can be obtained.

    -(S+A+[2.sup.λ+1 +2.sup.λ ·t.sub.2 +1])2.sup.m ≦R.sub.1 <2n+(2-S+

     [2.sup.λ ·t.sub.1 +2])·2.sup.m +nω(F127)

Then, the following equation is obtained from 2^(m) ×Eq. (F7)

    (-2.sup.k+1 +1+2ω)·2.sup.m ≦-(S+A+[2.sup.λ+1 +2.sup.λ ·t.sub.2 +1])·2.sup.m   (F 128)

    (2-S+[2.sup.λ ·t.sub.1 +2])2.sup.m ≦(2.sup.k +1-ω)2.sup.m                                        (F 129)

From Eqs. (F127) to (F129) it follows that

    (-2.sup.k+1 +1+2ω)·2.sup.m ≦R.sub.1 <n+(2.sup.k +1-ω)·2.sup.m +nω                    (F130)

Further, -2n≦-2^(m+k+1), 2^(m+k) ≦n hold from Eq. (F1) and, substituting them into the above equation,

    -2n+(1+2ω)·2.sup.m ≦R.sub.1 <2n+(1-ω)·2.sup.m +nω

From Eq. (F6), ω=0 or 1 and, substituting it into the left side of the above equation,

    -2n<R.sub.1 <2n+(1-ω)·2.sup.m +nω     (F131)

Since the difference between R and R₁ is an integral multiple of n, it is easily seen from Eqs. (F125) and (F126) that Eqs. (F20) to (F22) hold. Thus, it has been entirely verified that the theorem holds.

VERIFICATION OF COROLLARIES OF THEOREM Verification of Corollary 1

From Eq. (F25) ##EQU58## where, 0≦β_(j),R ≦1

From Eq. (F26) ##EQU59## where

    0≦β.sub.j,z '≦φ-1

From Eqs. (F132), (F133) and (F134) ##EQU60## where β_(j) =β_(j),R +β'_(j),z

    0≦β.sub.j ≦φ                        (F137)

Substituting Eqs. (F136) and (F137) into Eq. (F23), the following equation is obtained taking Eq. (F27) into account.

    X=X'                                                       (F138)

Accordingly, it is understood from Eqs. (F16) and (F138) that Eq. (F29) holds. Incidentally, when Eq. (F29) is used, S' is used, so that it is apparent that S' is used instead of S in the theorem.

Verification of Corollary 2

Substituting X in Eq. (F23) into Eqs. (F82) and (F83),

    X+(-I.sub.j)·[n·2.sup.-m ]≧0      (F82)'

    X+(-I.sub.j -1)·[n·2.sup.-m ]<0          (F83)'

    ∴(I.sub.j)·[n·2.sup.-m ]≦X<(I.sub.j +1)·[n·2.sup.-m ]                       (F139)

By substituting the minimum and the maximum value of I_(j) in Eq. (F17) into the left and the right side, respectively, the following equation is obtained.

    -I.sub.1 ·[n·2.sup.-m ]≦X<(I.sub.2 +1)·[n·2.sup.-m ]

Substituting Eqs. (F30) and (F31) into the above equation,

    -2.sup.w [n·2.sup.-m ]≦X<2.sup.w ·[n·2.sup.-m ]                          (F140)

From Eq. (F1), [n·2^(-m) ]<2^(k+1) holds: substituting it into the above equation,

    -1<X·2.sup.-(k+w+1) <1                            (F141)

Next, Y is defined in the following manner. ##EQU61## Substituting v from Eq. (F33), ##EQU62## so that the following equation is obtained taking Eq. (F141) into account. ##EQU63## Setting δ₁ =1-δ_(j) * and substituting Y, ##EQU64## δ_(j) *=0, 1 and I_(j) in Eq. (F16) to obtain Eq. (F32). Next, Eq. (F19)" is verified. Eq. (F75) is applied to Eqs. (F89) and (F92) to substitute thereinto Eq. (F18)". ##EQU65## where γ₃ =0, 1, 2 ##EQU66## Thereafter, the following equation is obtained in the same manner as in the case of Eq. (F115) ##EQU67## The left side of the above equation becomes minimum when δ_(j) *=1, by which the left of Eq. (F19)" is verified. Next, Eq. (F75) is applied to Eqs. (F90) and (F93) to substitute thereinto Eq. (F18)". ##EQU68## wherein γ₃ =0, 1, 2 ##EQU69## Thereafter, the following equation is obtained in the same manner as in the case of obtaining Eq. (F119). ##EQU70## The right side of the above equation becomes maximum when δ_(j) *=0, by which the right side of (F19)".

Next, it is verified that Eq. (F8) is necessary. Set R_(L) '=(the lower limit value of R_(j))-(the lower limit value of R_(j+1)), then ##EQU71## Thus, evidence has been given that Eq. (F8)" is necessary. The upper limit value remains unchanged.

Next, an operation ##EQU72## is performed on both sides of Eq. (F18)" to obtain the following equation.

    R.sub.1 =M.sub.1 ×M.sub.2 -n×Q.sub.1 '         (F123)'

where ##EQU73## It is evident that Eqs. (F21)" and (F22)" holds in the same manner as Eqs. (F125) to (F131).

Verification of Corollary 3

The conditions for which Eqs. (F35) to (F36) hold means that Eqs. (F90), (F92) and (F93) hold regardless of whether I_(j) is positive or negative and when P₁ =0, P₂ =0.

Accordingly, Eq. (F100) becomes as follows: PS

    2.sup.k -(1+ω)+S≦U                            (F100)'

However, 0≦U unconditionally holds from Eq. (F7)'. Further, it is apparent that when I_(j) <-2.sup.λ t₁ -2, Eqs. (F90) and (F93) do not hold.

    "-I.sub.1 ≦I.sub.j                                  (F 102)'

Similarly, Eq. (F109) becomes as follows:

    V<-2.sup.k+1 +1+2ω+S+A                               (F109)'

However, V<0 unconditionally holds from Eq. (F7)'. It is apparent that when I_(j) >2.sup.λ+1 +2.sup.λ ·t₂, Eqs. (F89) and (F92) do not hold.

    ∴I.sub.j ≦I.sub.2                           (F 111)'

Next, since P=0 holds in Eq. (F114), Eq. (F19)' holds by checking the proof of the theorem following Eq. (F112) and it is evident that Eq. (F8)' is a precondition of theorem.

Verification of Corollary 4

(A) Lower Limit Value of I_(j)

I_(j) =-2.sup.λ ·t₁ -1 is substituted into Eq. (F18).

    R.sub.j =2.sup.λ ·R.sub.j+1 +M.sub.1 ·M.sub.2,j -ω·δ.sub.jλ 2.sup.λ M.sub.1 +ω·δ.sub.(j-1)λ M.sub.1

     +(2.sup.λ ·t.sub.1 +1)n

From Eq. (F12), M₂,j ≦0, substituting it into the above equation,

    R.sub.j ≧2.sup.λ {R.sub.j+1 -(-A·n·2.sup.-k -t.sub.1 ·n+ω·δ.sub.jλ ·M.sub.1)}

     +n(1-2.sup.-(k-λ-log.sbsp.2.sup.A))+ω·M.sub.1 ·δ.sub.(j-1)λ                       (F 146)

Therefore, from Eqs. (F15) and (F3),

    ω·δ.sub.(j-1)λ ·M.sub.1 ≦R.sub.j                                           (F 147)

Next, consider the case where I_(j) =-2.sup.λ ·t₁ -2. In this case, Eq. (F19) holds naturally. At this time, when obtaining R_(j) from Eq. (F18) with I_(j) =-2.sup.λ ·t₁ -1, R_(j) is smaller by -n than in the case where I_(j) =-2.sup.λ ·t₁ -2, but the lower limit value of R_(j) is defined by Eq. (F147). Accordingly, it is seen that the lower limit value of R_(j) is larger than the lower limit value of R_(j+1) shown by Eq. (F15) because -A·n2^(-k) -t₁ ·n≦0 holds as the precondition for corollary 4.

(B) Upper Limit Value of I_(j)

I_(j) =2.sup.λ+1 +2.sup.λ ·t₂ -2 is subtituted to Eq. (F18). Setting 2.sup.λ+1 =2.sup.λ +2.sup.λ,

    R.sub.j =2.sup.λ ·R.sub.j+1 +M.sub.1 ·M.sub.2,j -ω·δ.sub.jλ M.sub.1 ·2.sup.λ +ω·M.sub.1 ·δ.sub.(j-1)λ

     -(2.sup.λ +2.sup.λ +2.sup.λ t.sub.2 -2)n

From Eq. (F12), M₂,j ≦2.sup.λ -1; substituting it into the above equation,

    R.sub.j ≦2.sup.λ {R.sub.j+1 -(n+t.sub.2 ·n+ω·δ.sub.jλ M.sub.1)}

     +(M.sub.1 -n)(2.sup.λ -1)+n+ω·M.sub.1 ·δ.sub.(j-1)λ                       (F 148)

Accordingly, from Eq. (F15)

    R.sub.j <n+ω·M.sub.1 ·δ.sub.(j-1)λ(F 149)

Next, consider the case where 2.sup.λ+1 +2.sup.λ ·t₁ ≧I_(j) ≧2.sup.λ+1 +2.sup.λ t₁ -1 holds. In this case, Eq. (F19) naturally holds. At this time, obtained from Eq. (F18) setting I_(j) =2.sup.λ+1 +2.sup.λ ·t₁ -2, R_(j) is found to be larger than the value (2.sup.λ+1 +2.sup.λ t₁ ≧I_(j) ≧2.sup.λ ·t₁ -1) of the first I_(j) by +n or +2n, but the upper limit value of R_(j) at that time is defined by Eq. (F149).

Accordingly, it is seen that the upper limit value of R_(j) is smaller than the upper limit value of R_(j+1) because t₂ ·n≧0 holds as the precondition for the corollary 4.

Thus, evidence has been given that the corollary 4 holds.

Verification of Corollary 5.

It is evident that Eq. (F18) that Eq. (F19) holds, permitting the corollary 5 to hold.

As described above, according to the present invention, since (M₁ ×M₂)÷n can be executed by performing the multiplication and the division in parallel using the same clock, the quotient Q or/and the remainder R can be obtained at high speed.

M₁ ·M₂,j CALCULATOR

Concerning the multiplication described in the theorem, supplemental explanation will be made below with respect to the condition ω=1.

In Eq. (F10), setting ω=1, the following equation is obtained.

    M.sub.2,j '=M.sub.2,j -δ.sub.jλ ·2.sup.λ +δ.sub.(j-1)λ

A description will be given of the case where λ=6. M_(2ja), M_(2jb) and M_(2jc) are defined as follows:

    M.sub.2ja =-δ.sub.6(j-1)+6 ·2.sup.6 +δ.sub.6(j-1)+5 ·2.sup.5

     +2·δ.sub.6(j-1)+4 ·2.sup.4

    M.sub.2jb =-δ.sub.6(j-1)+4 ·2.sup.4 +δ.sub.6(j-1)+3 ·2.sup.3

     +2·δ.sub.6(j-1)+2 ·2.sup.2

    M.sub.2jc =-δ.sub.6(j-1)+2 ·2.sup.2 +δ.sub.6(j-1)+1 ·2.sup.1

     +2·δ.sub.6(j-1)+0 ·2.sup.0

Then, M₂,j is as follows:

    M.sub.2,j =M.sub.2ja +M.sub.2jb +M.sub.2jc

M_(2ja), M_(2jb) and M_(2jc) can be implemented by a circuit similar to that for Q_(ja), Q_(jb) and Q_(jc) described previously in connection with the -Q_(j) ·n calculator with reference to FIG. 62. With such an arrangement, the quantity of data representing M₁ ·M₂,j ' is decreased, permitting reduction of the circuit scale of the carry save adder 16.

Supplemental Description of Theorem 3

A description will be given of the general arrangement of a circuit for calculating the value of I_(j) by Eqs. (F35) and (F36). Since this circuit arrangement is identical with that of the circuit for calculating the value of Q_(j) by Eqs. (H2) and (H3) described previously in Example 2, the latter will hereinafter be described with reference to FIG. 66.

FIG. 66 illustrates a quotient calculator 9" for calculating the value of Q_(j) based on Eqs. (H2) and (H3). Input signal lines 601, 602, 603 and 604 input therefrom variables R_(j+1), δ_(j), M₁, and n, respectively. In an AND circuit 871 is obtained [δ_(j) ·M₁ ·2^(-m) ]. An adder 620 performs an operation [2R_(j+1) ·2^(-m) ]+[δ_(j) ·M₁ ·2^(-m) ]+2. The last term +2 of this equation is generated within the adder 620. Circuits 621, 622 and 623 input therein n and output therefrom [n·2^(-m) ], [-n·2^(-m) ] and [-2n·2^(-m) ], respectively. The output of the adder 620 and the outputs of the circuits 621, 622 and 623 are added by adders 625, 627 and 628, respectively, and the output of the adder 620 is added with 0 in an adder 626. The adders 625 to 628 each output therefrom a 0 or 1, based on the following calculation, depending on whether the sign of a value Q_(j) =0, 1, 2, 3 is positive or 0, or negative.

    [2R.sub.j+1 ·2.sup.-m ]+[δ.sub.j ·M.sub.1 ·2.sup.-m ]+[(1-Q.sub.j)·n·2.sup.-m ]+2

The output signs are indicated by signals QA1, QA2, QA3 and QA4, respectively. These signals QA1, QA2, QA3 and QA4 are applied to a circuit 629, from which a signal QB is provided based on logic shown in FIG. 67. The signal QB is equal to the value Q_(j) which satisfies Eqs. (H2) and (H3). In this way, the value Q_(j) can be output, as the signal QB, which satisfies Eqs. (H2) and (H3).

ANOTHER METHOD OF MULTIPLICATION-DIVISION

The following will describe that the calculation for the RSA cryptography can be performed even if the multiplier-divider which is a main constituent of the cryptosystem of the present invention is replaced with another kind of multiplier-divider. A description will be given first of another method of multiplication-division, then a multiplier-divider based on the calculation method and finally the arrangement of the cryptosystem.

ANOTHER METHOD OF MULTIPLICATION-DIVISION

This multiplication-division is performed by a method which can easily be deduced from an ordinary calculation method. At first, the multiplication M₁ ×M₂ is executed and then the division (M₁ ×M₂)÷n is performed to obtain the remainder.

(A) Multiplication

The multiplication M₁ ×M₂ is performed in the following manner. Let it be assumed that Z is a variable.

Step 1: Z=0

Step 2: The following operations are performed in an order j=1, 2, . . . l.

    Z=Z+M.sub.1 ×M.sub.2,j

Step 3: Halt.

(B) Division

A division Z÷n is performed in the following manner. Here, R_(j) is a variable, and Z is represented as a binary number and divided equally into 2 l every λ bits and set as Z_(j). ##EQU74##

Step 4: ##EQU75##

Step 5: The following operations are executed in an order j=l, l-1, . . . 1. ##EQU76##

Step 6: R=R₁, halt. By steps 1 to 6, the remainder R of (M₁ ×M₂)÷n can be obtained.

Here, the range of R_(l+1) in step 4 satisfies the following condition.

    0≦R.sub.l+1 <n

This reason is verified by the following based on conditions 0≦M₁ <n and 0≦M₂ <n. ##EQU77##

Therefore, 0≦R_(l+1) ·2^(l)λ <n² and ##EQU78## For the verification, both sides of the equation of R_(j) are multiplied by 2.sup.(j-1)λ and an addition of ##EQU79## is performed in respect of the multiplication result.

APPROXIMATION OF CALCULATION METHOD OF QUOTIENT Q_(j) ^(a) IN DIVISION

The quotient Q_(j) can easily be obtained by a close approximation which involves omitting m bits from the variable R_(j+1) as is the case with the calculation of the quotient I_(j) in the aforementioned simultaneous multiplication-division and by a close approximation which involves multiplication using a reciprocal of the divisor in the division. That is, the division is performed using Q_(j) ' defined by the following equation, instead of Q_(j). ##EQU80##

L=the effective length of n(2^(L-1) <n<2^(L))

Here, m, S and u are defined as follows:

    m≦L-λ-6

    2.sup.λ+2 +2≦S≦2.sup.λ+3

    u≧L-m+λ+2

In this case, it is the same as in the afore-described method of obtaining I_(j) by approximation that the following holds:

    Q.sub.j '=Q.sub.j +γ.sub.j, γ.sub.j =0, 1, or 2

Here, R_(j) is divided into R_(j),1 and R_(j),0, and ##EQU81## is set.

(C) Division Using Q_(j) '

In the case of using Q_(j) ' in place of Q_(j), the afore-described division changes as follows:

Step 4': ##EQU82##

Step 5': The following is executed in the order j=l, l-1, . . . 1. ##EQU83##

Step 6': ##EQU84##

Step 7': If R₁ ≦0, go to step 9'

Step 8': R₁ =R₁ +n, go back to step 7'

Step 9': R=R₁ Halt

The above-described method of multiplication-division is called a "multiplication-division successive approximating calculation method".

(D) Multiplier-Divider

FIG. 68 illustrates the general arrangement of the multiplier-divider based on the simultaneous multiplication-division operating method described previously with regard to FIGS. 2 and 22 and Eqs. (3) to (24). A main adder 110_(X) is an assembly of the main adders 110₁ to 110₈ shown in FIG. 36, and a register 105_(X) is an assembly of the registers 105₁ to 105₈ shown in FIG. 34 and it has the function of shifting its content to left by steps of four bits. An M₁ ·M₂,j calculator 140_(X) is an assembly of the calculators 140₁ to 140₈ shown in FIG. 37, and a -Q·n calculator 150_(X) is an assembly of the calculators 150₁ to 150₈ shown in FIG. 38. An adder 160_(X) is an assembly of the adders 160₁ to 160₈ depicted in FIG. 39, and an adding register 170_(LX) is an assembly of the registers 170_(L1) to 170_(L8) shown in FIG. 40. An adding register 170_(LY) is also a similar assembly of individual adding registers. Selectors 311_(X) and 312_(X) are assemblies of eight selectors 311 and 312 shown in FIG. 61, respectively. An adder 180_(X) is an assembly of the adders 180₁ to 180₈ shown in FIG. 4.

FIG. 69 illustrates a multiplier-divider based on the multiplication-division by successive approximation. In FIG. 69 the parts corresponding to those in FIG. 68 are identified by the same reference numerals. A selector 410 selects one of output signal lines of the calculators 140_(X) and 150_(X) and provides an output to a carry save adder 160_(Y). Switching control of the selector 410 is effected by a signal on a control line 415. The carry save adder 160_(Y) is identical in construction with the adder 160_(X). A register 105_(Y) is similar to the register 105_(X) but largely differs therefrom in that its content is shifted to the right by steps of four bits. Register sections 170_(LY) and 170_(RY) are registers of 1024-bit length. As depicted in FIG. 70, the register sections 170_(LY) and 170_(RY) are each formed by a series connection of a 514-bit register 419 and a 510-bit register 420 to constitute a 1024-bit register as a whole. This register has the function of shifting its content to the right and left by steps of four bit (λ=4). The register 170_(Y) has connected thereto a signal line 421 for determining the direction of shift, a shift command pulse input signal line 422, a signal line 423 for setting 0 in the content of the register, a register input signal line 425 and a register output signal line 426.

In the arrangement of FIG. 69, the calculation for obtaining the remainder of (M₁ ×M₂)÷n is performed as follows: At first, the input signal line 411 of the selector 410 is selected, and the register sections 170_(LY) and 170_(RY) store 0 first and perform the multiplication by the aforesaid method utilizing the function of right shift by steps of four bits, thereby obtaining the value of M₁ ×M₂ on the register sections 170_(LY) and 170_(RY) of 1024-bit length. (M₁ ×M₂ is represented as the sum of numbers stored in the register sections 170_(LY) and 170_(RY).)

Next, the input signal line 412 of the selector 410 is selected and the division is carried out by the quotient calculators 60 and 61 in the aforementioned manner utilizing the left shift function of the registers 170_(LY) and 170_(RY). In this way, the remainder of the multiplication-division (M₁ ×M₂)÷n can be obtained.

FIG. 70 illustrates the construction of a register 170_(Y) comprising the register sections 170_(LY) and 170_(RY).

FIG. 71 illustrates the general arrangement of an embodiment of the cryptosystem of the present invention which employs the simultaneous multiplication-division method, and FIG. 72 shows the general arrangement of another embodiment of the present invention which employs the successive approximating multiplication-division method. In FIGS. 71 and 72, respective input and output signal lines correspond to those in the afore-described drawings and shown at the same positions. The register 420 in FIG. 22 corresponds to 510-bit-long register 420 in FIG. 70 which has the function of shifting its content to the right and left by steps of four bits, and the signal line 21' is a multiplication control signal line. As described previously in connection with FIG. 69, the register 105_(Y) is one that has the function of shifting its content to the right by steps of four bits. The multiplication control signal line 21' is led out from the slice section 25₈ and the direction of the signal on this line is opposite to that on the signal line in FIG. 71. The register 419 in each of the register sections 170_(LY) and 170_(RY) serves as a register equivalent to an assembly of the register 104₁ to 104₈ shown in FIG. 33. Because of such an arrangement, the calculation C≡M^(e) mod n can be performed using the variables e, n and M.

In the simultaneous multiplication-division method, it is also possible to calculate first M₁ ×M₂,j for each j and then perform the operation -Q_(j) ×n. In this case, as shown in FIG. 69, a selector is provided between the calculators 140_(X) and 150_(X) and the adder 160_(X) in the arrangement of FIG. 68, and M₁ ×M₂,j and -Q_(j) ×n are alternately supplied from the selector to the adder 160_(X) for each j.

Furthermore, in the quotient calculating unit 9, the operation ##EQU85## may be directly performed without using close approximation.

Although in the foregoing embodiments the quotient calculating unit 9 is provided independently of the sliceable section 25', it is also possible to provide quotient calculators 9₁ to 9₈ in the sliced sections 25₁ to 25₈, respectively, as shown in FIG. 73, for example, and to actuate only the quotient calculator 9₁ for the calculation for cryptography, holding the others inoperative. With such an arrangement, the cryptosystem of the present invention can be formed by eight LSI chips of the same configuration and any separate LSI chips need not be provided for the quotient calculating unit. Also it is possible to constitute LSIs including one part of the quotient calculating unit 9, for instance, the post-processing section 61 or pre-processing section 60, in the respective sliced sections 25₁ to 25₈, though not shown.

Conversely, since only one controller 8₁ in the sliced section 25₁ shown in FIG. 6 is made operative, it is possible to remove all the controllers 8₁ to 8₈ from the respective sliced sections 25₁ to 25₈, and provide a single controller of an LSI chip for controlling the sliced sections 8₁ to 8₈ and the quotient calculator 9.

As has been described in the foregoing, according to the present invention, the cryptosystem for implementing the RSA cryptograph C≡M³ mod n can easily be constituted through utilization of the present-day LSI technology even if the value of n is extremely large. For instance, the RSA cryptography employs the value n=10¹⁰⁰ to 10²⁰⁰ and, in this case, the circuit scale of the cryptosystem is as large as 100K to 200K gates. According to the present invention, the cryptosystem can be formed by a small-scale ROM and 10-to-30K-gate LSI chips of the same configuration.

Furthermore, as will be appreciated from the foregoing, the value L-m is independent of the value L. Accordingly, the calculation by the quotient calculation post-processing section is independent of the value L, that is, the number of digits of the value n; therefore, the multiplication-division R≡M₁ ×M₂ mod n and the operation C≡M^(e) and mod n can be performed increasing or decreasing the number of sliced sections. In other words, the lengths of the encryption keys (n and e) can easily be changed by increasing or decreasing the number of sliced sections.

Besides, according to the present invention, the operation speed can be increased by the simultaneous multiplication-division as described previously. In this case, the main adding unit need not always be divided, that is, the arrangement shown in FIG. 68 may be employed.

It will be apparent that many modifications and variations may be effected without departing from the scope of the novel concepts of the present invention. 

I claim:
 1. An encryptosystem in which integers M, e and n (0≦M<n) are applied to M-, e- and n-registers; variables C and M₂ are stored in C- and M₂ -registers; the integer e being represented by ##EQU86## (e_(i) =1 or 0); the variable C is initially set to 1; repetitive calculations are performed in accordance with the following Steps (1) and (2) for each value i in the order i=k, k-1, k-2, . . . 1, 0; in Step (1) an operation C≡M₁ ×M₂ mod n is performed with M₁ =C and M₂ =C; in Step (2) the value of e_(i) is checked and if e_(i) =1, the operation C=M₁ ×M₂ mod n is further performed with M₁ =C and M₂ =M; and said repetitive calculations are completed with i=0, producing the last C in the form of C≡M^(e) mod n;wherein a quotient calculating unit, a main adding unit and a controller are provided for performing the operation C≡M₁ ×M₂ mod n, said main adding unit having an adding register for storing a variable R_(j) ; wherein, in order to perform the following operation in the order j=l, l-1, l-2, . . . 1, thereby to obtain the last R₁ in the form of C≡M₁ ×M₂ mod n: ##EQU87## where [ ] is a Gaussian symbol, [x] the largest possible integer smaller than or equal to x, and λ and l constants, said quotient calculating unit is connected to said C-, M₂ - and n-registers and said main adding unit and performs an operation ##EQU88## said main adding unit is connected to said quotient calculating unit and said C-, M₂ - and n-registers and forms an operation M₁ ×M₂,j '+2.sup.λ R_(j+1) -Q_(j) ·n, and said controller performs control for obtaining said C by the respective calculations of said quotient calculating unit and said main adding unit.
 2. A cryptosystem according to claim 1 wherein first and second adding registers are provided as said adding register; said variable R_(j) is divided into R_(j),0 and ##EQU89## R_(j),0 and R_(j),1 are stored in said first and second adding registers; and said main adding unit performs the following operation: ##EQU90##
 3. A cryptosystem according to claim 2 wherein said quotient calculating unit comprises a pre-processing section and a post-processing section connected thereto, said pre-processing section being supplied with said n to calculate [2^(u) ÷[n·2^(-m) ]]=v (m and u being constants) and said post-processing section being supplied with said R_(j+1), M₁, M₂,j ' and v to calculate Q_(J) " by approximation setting ##EQU91## in the case of ω=0 and, in the case of ω=1, setting ##EQU92## and setting as said Q_(j) ##EQU93## (S being a constant and Q_(j) "=Q_(j) -δ holding and δ being an integer), and wherein compensating calculation means is included for obtaining, from said R₁,R₁ +δ·n which satisfies 0≦R₁ +δ·n<n.
 4. A cryptosystem according to claim 3 wherein said pre-processing section is a memory which is read out using [n·2^(-m) ] as its address.
 5. A cryptosystem according to claim 2 wherein λ=1 and ω=0; said quotient calculating unit is means supplied with said M₁, δ_(j), n and R_(j+1), for obtaining an approximate value Q_(j) " of Q_(j) such that the calculation result obtained by calculating [2R_(j+1) ·2^(-m) ]+[δ_(j) ·M₁ ·2^(-m) ]-[Q_(j) ·n·2^(-m) ] while changing Q_(j) successively varies in sign with respect to a reference value; and compensating calculation means is included for obtaining, from said R₁, R₁ +δ·n which satisfies 0≧R₁ +δ·n<n (δ being an integer).
 6. A cryptosystem according to claim 3 or 5 wherein said main adding unit comprises an M₁ ·M₂,j calculating section for calculating M₁ ×M₂,j ', a-Q_(j) ·n calculating section for calculating -Q_(j) "×n, said first and second adding registers for storing variables R_(j+1),0 and R_(j+1),1, means for multiplying the contents R_(j+1),0 and R_(j+1),1 of said first and second adding registers by 2.sup.λ, a carry save adder for adding together the resulting 2.sup.λ ·R_(j+1),0 and 2.sup.λ ·R_(j+1),1, the calculated M₁ ×M₂,j ' and the calculated -Q_(j) "×n and storing the addition result in said first and second adding registers, and a carry propagation adder for adding two outputs from said carry save adder and storing the addition result in said C-register; said compensating calculation means comprises a selector for selecting one of the contents of said first and second adding registers, R_(j+1),0 and R.sub. j+1,1, and said 2.sup.λ -multiplied values, 2.sup.λ ·R_(j+1),0 and 2.sup.λ ·R_(j+1),1, for input to said carry save adder, means for making zero one of M₁ and M₂,j ' applied to said M₁ ·M₂,j ' calculating section, means for setting -Q_(j) applied to said -Q_(j) "·n calculating section to +1, and means for selecting R_(j+1),0 and R_(j+1),1 by said selector at the time of compensating calculation, making one of M₁ and M₂,j ' to be zero and -Q_(j) to be +1, and activating said carry save adder and said carry propagation adder to perform an operation R₁ +δ·n.
 7. A cryptosystem according to claim 3 or 5 wherein said main adding unit comprises an M₁ ·M₂,j calculating section for calculating M₁ ×M₂,j ', a -Q_(j) ·n calculating section for calculating -Q_(j) "×n, said first and second adding registers for storing the variable R_(j+1),i (i-0, 1), a carry save adder for adding 2.sup.λ ·R_(j+1),i (i=0, 1) obtained by multiplying R_(j+1),i (i=0, 1) by 2.sup.λ, the calculated M₁ ·M₂,j ' and the calculated -Q_(j) "·n and storing the addition result in said first and second adding registers, and a carry propagation adder for adding two outputs from said carry save adder and storing the addition result in said C-register; and said compensating calculation means comprises a first selector for selecting either the one output from said carry save adder or the content of said C-register, a second selector for selecting either the other output from said carry save adder or n applied to said -Q_(j) ·n calculating section, and means for selecting the content of the C-register and the n by said first and second selector, respectively, during compensating calculation, and activating said carry propagation adder to perform an operation R₁ +δ·n.
 8. A cryptosystem according to claim 2 wherein said main adding unit comprises an M₁ ·M₂,j calculating section for calculating M₁ ×M₂,j ', a -Q_(j) ·n calculating section for calculating -Q_(j) "×n, said first and second adding registers for storing the variable R_(j+1),i (i-1, 0) a carry save adder for adding 2.sup.λ R_(j+1) obtained by multiplying R_(j+1),i by 2.sup.λ, the calculation result of said M₁ ·M₂,j calculating section and the calculation result of said -Q_(j) ·n calculating section and storing the addition result in said first and second adding registers, and a carry propagation adder for adding two outputs from said carry save adder and storing the addition result in said C-register.
 9. A cryptosystem according to claim 8, further including a selector for selecting one of the calculation results of said M₁ ·M₂,j calculating section and said -Q_(j) ·n calculating section and supplying the selected calculation result to said carry save adder, and means for adding the selected calculation result and said 2.sup.λ ·R_(j+1) and adding the addition result, for each j, with the other calculation result selected by said selector.
 10. A cryptosystem according to claim 2, 3 or 5 wherein said main adding unit is divided into a plurality of sliced sections of the same function; said M₁ and n are divided into every fixed width of their binary integers and sequentially applied to said sliced sections; said M₂,j ' and Q_(j) are applied to said sliced sections in common to them; said sliced sections each perform a calculation R_(j) =M₁ ×M₂,j '+2.sup.λ R_(j+1) -Q_(j) "×n for the M₁, n, Q_(j), M₂,j ' and R_(j+1) applied to them; and said sliced sections are each connected to a higher-order one of them via a connection signal line for applying thereto one part of the result of said calculation.
 11. A cryptosystem according to claim 10, wherein an adder for performing the addition in the calculation R_(j) =M₁ ×M₂,j '+2.sup.λ R_(j+1) -Q_(j) "×n in each sliced section is composed of a plurality of carry save adders; the number of bits of each of an input and an output signal line of said carry save adder is selected larger than the number of binary bits of the fixed width of said integers; and means is included for supplying the most significant one of binary bits of the fixed width of said integers on the low-order side in the output signal line of each carry save adder to a corresponding one of the carry save adders of the higher-order sliced sections via a part of said connection signal line, and for applying said most significant bit applied from the lower-order sliced sections to the corresponding carry save adder, for applying λ bits of the last stage output signal line of said carry save adder to the higher-order sliced section via the other part of said connection signal line to apply a signal of said λ bits from the lower-order sliced section to the last-stage output of said carry save adder.
 12. A cryptosystem according to claim 10 wherein said sliced section each include an M₂ -register for input therein said divided M₂.
 13. A cryptosystem according to claim 12 wherein said sliced sections each include a selector controlled by said e_(i) to select one of said M and C for input to said M₂ -register.
 14. A cryptosystem according to claim 13 wherein said sliced section each includes an M-register for storing said divided M.
 15. A cryptosystem according to claim 13 wherein said sliced sections each include an n-register for storing said divided n.
 16. A cryptosystem according to claim 13 wherein said sliced section each include an e-register for storing said divided e.
 17. A cryptosystem according to claim 13 wherein said sliced sections each include a C-register for storing said divided C.
 18. A cryptosystem according to claim 13 wherein said sliced sections each include at least one part of said quotient calculating section, and only one of said quotient calculating sections of said sliced sections is made operable.
 19. A cryptosystem according to claim 13 wherein said sliced sections each include said controller, and only one of said controllers of said sliced sections is made operable.
 20. A cryptosystem in which integers M, e and n (0≧M<n) are applied to M, e and n registers; variables C and M₂ are stored in C- and M₂ -registers; the integer e being represented by ##EQU94## (e_(i) =0 or 1); the variable C is initially set to 1; repetitive calculations are performed in accordance with the following Steps (1) and (2) for each value i in the order i=k, k-1, k-2, . . . 1, 0; in Step (1) an operation C≡M₁ ×M₂ mod n is performed with M₁ =C and M₂ =C; in Step (2), the value of e_(i) is checked and if e_(i) =1, the operation C≡M₁ ×M₂ mod n is further performed with M₁ =C and M₂ =M; and said repetitive calculations are completed with i=0, producing the last C in the form of C≡M^(e) mod n;said cryptosystem comprising a main adding unit including at least an M₁ ·M₂,j calculating section for calculating M₁ ×M₂,j ', a -Q_(j) ·n calculating section for calculating -Q_(j) "×n, a selector for selecting one of the calculation results M₁ ·M₂,j ' and -Q_(j) "·n, an adding register and an adder for adding the content of said adding register and the output of said selector and storing the addition result, in said adding register, a controller, and a quotient calculating unit; wherein the main adding unit is controlled by said controller so that a 0 is applied as a variable Z to said adding register, said calculation result M₁ ·M₂,j ' is selected by said selector, an operation Z=Z+M₁ ×M₂,j ' is performed in the order j=1, 2, . . . l to obtain M₁ ·M₂ ≡Z, ##EQU95## (λ being constant) is applied to said adding register, said calculation result -Q_(j) "·n is selected by said selector, and an operation R_(j) =2.sup.λ R_(j+1) +Z_(j) -Q_(j) "·n is performed in the order j=l, l-1, . . . 1; wherein said main adding unit is divided into a plurality of sliced sections of the same function, said M₁ and n are divided into every fixed width of their binary integers and sequentially applied to said sliced sections, said M₂,j ' and Q" are applied to said sliced sections in common to them, said sliced sections each perform said operations Z=Z+M₁ ×M₂,j ' and R=2.sup.λ R_(j+1) +Z_(j) -Q_(j) "·n for the M₁, n, Q_(j) " and M₂,j ' applied to them, said sliced sections are each connected to a higher-order one of them via a first connection signal line for applying thereto one part of the calculation result Z, and said sliced sections are each connected to a lower-order one of them via a second connection signal line for applying thereto the calculation result R_(j).
 21. A cryptosystem in which integers M, e and n (0≦M<n) are applied to M, e and n registers; variables C and M₂ are stored in C- and M₂ -registers; the integer e being represented by ##EQU96## (e_(i) =0 or 1); the variable C is initially set to 1; repetitive calculations are performed in accordance with the following Steps (1) and (2) for each value i in the order i=k, k-1, k-2, . . . 1, 0; in Step (1) an operation C≡M₁ ×M₂ mod n is performed with M₁ =C and M₂ =C; in Step (2), the value of e_(i) is checked and if e_(i) =1, the operation C≡M₁ ×M₂ mod n is further performed with M₁ =C and M₂ =M; and said repetitive calculations are completed with i=0, producing the last C in the form of C≡M^(e) mod n;said cryptosystem comprising a main adding unit including at least an M₁ ·M₂,j calculating section for calculating M₁ ×M₂,j ', a -Q_(j) ·n calculating section for calculating -Q_(j) "×n, a selector for selecting one of the calculation results M₁ ·M₂,j ' and -Q_(j) "·n, an adding register and an adder for adding the content of said adding register and the output of said selector and storing the addition result in said adding register, a controller, and a quotient calculating unit; wherein a 0 is applied as a variable Z to said adding register, said calculation result M₁ ·M₂,j ' is selected by said selector, an operation Z=Z+M₁ ×M₂,j ' is performed in the order j=1, 2, . . . l to obtain M₁ ·M₂ ≡Z, then R_(l+1) of ##EQU97## is applied to said adding register, said calculation result -Q_(j) "·n is selected by said selector, said quotient calculating unit comprises a calculating section for calculating X_(j) =[2.sup.λ ·R_(j) ·2^(-m) ]+S (S being a constant) and a calculating section for calculating ##EQU98## and said quotient calculating unit is controlled by said controller to calculate

    Q.sub.j "=[X.sub.j ×v×2.sup.-u ]+1

when

    X.sub.j ≧0

    Q.sub.j "=[X.sub.j ×v×2.sup.-u ]

when

    X.sub.j <0

or

    Q.sub.j "=[X.sub.j ×v×2.sup.-u ]+1

when

    X.sub.j >0

    Q.sub.j "=[X.sub.j ×v×2.sup.-u ]

when

    X.sub.j ≦0

and calculate R_(j) =2.sup.λ ·R_(j) +R_(j) -Q_(j) "·n in the order j=l, l-1, . . . 1; wherein compensation calculation means is included for calculating, when R₁ ≧0, R₁ =R₁ +n until R₁ ≧0 is obtained; wherein said main adding unit is divided into a plurality of sliced sections of the same function, said M₁ and n are applied to said sliced sections while being sequentially divided for each fixed width of their integers, said M₂,j ' and Q" are applied to said sliced sections in common to them, said sliced sections each perform said operations Z=Z+M₁ ×M₂,j ' and R_(j) =2.sup.λ R_(j+1) +Z_(j) -Q_(j) "·n for the M₁, n, Q_(j) " and M₂,j ' applied to them, said sliced sections are each connected to a higher-order one of them via a first connection signal line for applying thereto one part of the calculation result Z, and said sliced sections are each connected to a lower-order one of them via a second connection signal line for applying thereto the calculation result R_(j).
 22. A cryptosystem according to claim 20 wherein first and second adding registers are provided as said adding register; said variable R_(j) is divided into R_(j),0 and ##EQU99## R_(j),0 and R_(j),1 are stored in said first and second adding registers; and said main adding unit performs the following operation: ##STR1## 